6.2.2 ptrace1.c - privilege escalation Chạy file ptrace1.c Kiêm tra bằng cách chạy lệnh : Id Cat /etc/shadow effective uid euid of the shell.cgi process is 0, which is that of the root
Trang 1Hiện tại ta là nobody
6.2.2 ptrace1.c - privilege escalation
Chạy file ptrace1.c
Kiêm tra bằng cách chạy lệnh :
Id
Cat /etc/shadow
effective uid (euid) of the shell.cgi process is 0, which is that of the root user
pip(vniss)
One-way Web Hacking (bài 8)
7.0 Web based SQL Command Prompts
One-way hacking có thể đuơc mở rộng ra ngoài việc transfer file hay remote
command qua HTTP Một trong những phần quan trong của một úng dụng là cơ sở
dữ liệu Trong phần này chúng ta sẽ mở rộng đến khái niệm của one-way hacking tương tác điều khiển database server bằng việc tạo ra một web based SQL
Trang 2command prompts
web based SQL command prompts cho phep người dùng connect vào DB server qua giao diện HTML và excute cmd qua HTML form
7.1 Anatomy of an SQL command prompt - sqlquery.asp
Đây là ví dụ về 1 web based SQL command prompt:
The other two parameters Driver and Connection String are used for selecting the proper driver and path for the database Connection String is an optional
parameter In sqlquery.asp, we have an option of connecting via four drivers,
namely Microsoft SQL server, Oracle over ODBC, MySQL over ODBC and
Foxpro More drivers can be added very easily
(Thanks to Ketan Vyas for sqlquery.asp)
Code tìm ở trên : sqlquery Asp
7.2 An example - IIS and MS SQL server
Ta coi như www1 example.com đã bị thoả hiệp và ta có web based file uploader, upload Asp và 1 web based command prompt, cmdasp Asp:
Trang 3Giờ ta upload sqlquery Asp lên www1 example.com và dùng nó để tấn công
DbServer 10.0.1.2
7.3 Uploading sqlquery.asp
7.4 Pilfering the web application
Before we can connect to the back-end database, we need to know how to establish
a connection to the database, and with what credentials Upon inspecting the
Trang 4source code of the web application hosted on www1.example.com, the following lines were found:
Set Con = Server.CreateObject("ADODB.Connection")
Con.Open "Provider=SQLOLEDB; Data Source=10.0.1.2; Initial Catalog=art;
User Id=sa; Password=sys+adm!n"
Set RS = Con.Execute("select StockNumber,Name,Description,Artist,
ListPrice,image from PRODUCTS where ID = " +
Request.QueryString("ID"))
These lines from the application source code provide us with enough information
to connect to the back-end database server on 10.0.1.2
7.5 Executing SQL queries via sqlquery.asp
Trang 5Shows application data being displayed from a table called PRODUCTS, hosted on the "art" database:
pip(vniss)
One-way Web Hacking (bài 9)
7.6 Executing stored procedures
The SQL command prompt can also be used for executing stored procedures In this example, we are accessing the back-end database using system administrator (sa) privileges Therefore it is possible to execute stored procedures such as
"xp_cmdshell" to execute arbitrary commands on the database