In this lesson, we solve a mystery by using Google hacking techniques and
show how to bootstraps and bring in a more
sophisticated hacking Trojan into the weak machine.
Years ago, our system administrator come to my office and say, "Yeah,
there is a hidden file .1.php,
were used by the outsider in your server very frequently."
It was in my web programming class php directory.
I look at it and find out,
the content was very strange.
The file has seven line and 23,343 characters,
and the first six line are readable and contain what is showing here.
After the <?php we know it's a php script.
The second line, $auth_pass,
has very strange character string.
And I look at that and say, "Authentication (auh).
There must be some sort of password."
And up to the sixth line.
The seventh line show preg,
which is post group regular expression, replace.
And after that is whole bunch of hexadecimal character indicated by the \x.
The web page, once you execute,
it asks for a password.
So now the question.
What is the password we need to enter?
It appears it has, and so I was puzzled by what will be the password?
And I tried to copy that long string into the password box, it doesn't work.
Actually, think about that,
I will give you a hint, it is the title of the slide.
We kept using the title of the slide as a hint to solve the puzzle.
We know it is a php script.
The first assignments they may indicate is authentication password.
So we need to be careful.
And when we type in this password as it is, it doesn't work.
Google hacking, as defined in the Google website is also named
Google dorking and is a computer hacking technique that use Google search engine to
retrieve the potential information about the victim's site or the victim's code.
You can also use other Google applications to find a security hole either in
the configuration file or in computer code that may
have encrypted kind of password string,
by copying and pasting
the auth_pass valuable value into the Google search engine.
One, we find out the password is root,
and it's actually the MD5 message function value for putting a pentax root.
They are many sites actually show up in the query.
And that actually perform this kind of dictionary look up using
the machine to produce known plain text word and the corresponding SHA hashing value.
Anybody can do a query then by putting
the encrypted string and it will come back with the original plain text.
The second entry in the return,
I show it up in the web page.
Actually even shows actual source code of the .1.php.
The code can be downloaded from
https://www.exploit-dp.com, authentic security website.
And you can also click on the link,
on the second link in the web page to download that from GitHub website.
How to get .1.php over to our midterm directory? That's a question.
Very quickly we'll find out we will be you be using a popular cominco webCAT.
We can via retrieving the web content.
But if we do that,
what we find now.1.php file access,
will actually be execute and we now return
the intended source code of the php file to our written website.
It will be excecute and the return html file is
now the.php source code we rather put into the midterm site.
And how can we solve this?
It turn out, instead of using straightforward wget,
we need to run php code.
We call it download.php.
And this download.php will listen to a query string with name as a key,
and the value will be received as a filename.
Okay. And what is going to do is viewing all the content
of the specified file in the Viva machine,
in this case and which is to provide a lot of source code and really in as a php code,
as a binary content and ship it out with
a mail header Content-Type:application.octet_stream.
And by doing that it bypass the web server.
It will not interpreted,
and the php source data will be saved as a file.
And here basically, showing you the kind of header is going to generated, content type,
the coding is binary, the length,
using file size with the parameter dollar sign over the file name.
And then you're using the file as a php code to read in the whole content file.
Therefore, this command we will use is wget with download.php?
which is followed by the
>name=.1.php and we will have that execute on cs591.
And result is what nicely that we bring in the php.
But unfortunately, it created a file not as .1.php,
it created a file with a strange name 'download.php$name=.1.php.
Using the last part
of the wget your I as a file name.
So the question to you is how can you try to hide
this file because download.php even [inaudible] it will show up.
So I would even figure out this puzzle.
Here we show the layout of these sophisticated Trojan spyware.
It displays the directory content with many useful system informations.
By typing the text into the Mac directory in the bottom part of their four dialog box,
one of them is Make dir.
You can even create a directory.
Making a directory is so powerful.